js: Inline expectation should have space after $

This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.

javascript/ql/test/library-tests/frameworks/WebSocket/browser.js

@@ -1,34 +1,34 @@
 (function () {
-	const socket = new WebSocket('ws://localhost:8080'); // $clientSocket
+	const socket = new WebSocket('ws://localhost:8080'); // $ clientSocket
 
 	socket.addEventListener('open', function (event) {
-		socket.send('Hi from browser!'); // $clientSend
+		socket.send('Hi from browser!'); // $ clientSend
 	});
 
 	socket.addEventListener('message', function (event) {
 		console.log('Message from server ', event.data); // $ remoteFlow
-	}); // $clientReceive
+	}); // $ clientReceive
 
 	socket.onmessage = function (event) {
 		console.log("Message from server 2", event.data); // $ remoteFlow
-	}; // $clientReceive
+	}; // $ clientReceive
 })();
 
 
 (function () {
-	var sock = new SockJS('http://0.0.0.0:9999/echo'); // $clientSocket
+	var sock = new SockJS('http://0.0.0.0:9999/echo'); // $ clientSocket
 	sock.onopen = function () {
-		sock.send('test'); // $clientSend
+		sock.send('test'); // $ clientSend
 	};
-	
+
 	sock.onmessage = function (e) {
 		console.log('message', e.data); // $ remoteFlow
 		sock.close();
-	}; // $clientReceive
-	
+	}; // $ clientReceive
+
 	sock.addEventListener('message', function (event) {
 		console.log('Using addEventListener ', event.data); // $ remoteFlow
-	}); // $clientReceive
+	}); // $ clientReceive
 })();
 
 export const MyWebSocket = WebSocket;

javascript/ql/test/library-tests/frameworks/WebSocket/client.js

@@ -1,15 +1,15 @@
 const WebSocket = require('ws');
 
 (function () {
-	const ws = new WebSocket('ws://example.org'); // $clientSocket
+	const ws = new WebSocket('ws://example.org'); // $ clientSocket
 
 	ws.on('open', function open() {
-		ws.send('Hi from client!'); // $clientSend
+		ws.send('Hi from client!'); // $ clientSend
 	});
 
 	ws.on('message', function incoming(data) { // $ remoteFlow
 		console.log(data);
-	}); // $clientReceive
+	}); // $ clientReceive
 })();
 
 module.exports.MyWebSocketWS = require('ws');

javascript/ql/test/library-tests/frameworks/WebSocket/server.js

@@ -3,12 +3,12 @@ const WebSocket = require('ws');
 (function () {
 	const wss = new WebSocket.Server({ port: 8080 });
 
-	wss.on('connection', function connection(ws) { // $serverSocket
-		ws.on('message', function incoming(message) { // $remoteFlow
+	wss.on('connection', function connection(ws) { // $ serverSocket
+		ws.on('message', function incoming(message) { // $ remoteFlow
 			console.log('received: %s', message);
-		}); // $serverReceive
+		}); // $ serverReceive
 
-		ws.send('Hi from server!'); // $serverSend
+		ws.send('Hi from server!'); // $ serverSend
 	});
 })();
 

javascript/ql/test/library-tests/frameworks/WebSocket/sockjs.js

@@ -5,11 +5,11 @@ const sockjs = require('sockjs');
 const app = express();
 const server = http.createServer(app);
 const sockjs_echo = sockjs.createServer({});
-sockjs_echo.on('connection', function (conn) { // $serverSocket
-    conn.on('data', function (message) { // $remoteFlow
+sockjs_echo.on('connection', function (conn) { // $ serverSocket
+    conn.on('data', function (message) { // $ remoteFlow
         var data = JSON.parse(message);
-        conn.write(JSON.stringify(eval(data.test))); // $serverSend
-    }); // $serverReceive
+        conn.write(JSON.stringify(eval(data.test))); // $ serverSend
+    }); // $ serverReceive
 });
 
 sockjs_echo.installHandlers(server, { prefix: '/echo' });

javascript/ql/test/query-tests/Declarations/SuspiciousMethodNameDeclaration/tst.ts

@@ -7,7 +7,7 @@ interface MyInterface {
   constructor(): string; // $ Alert - This a called "constructor"
   new(): Date; // OK - This a constructor signature.
 
-  myNumber: 123; 
+  myNumber: 123;
 }
 
 var a : MyFunction = null as any;
@@ -25,7 +25,7 @@ class Foo {
 
   }
   myString = "foobar"
-  
+
   myMethod(): boolean {
     return Math.random() > 0.5;
   }
@@ -71,17 +71,17 @@ class StaticMethods {
 }
 
 interface Overloaded {
-  function(x: string): string; // $Alert
-  function(x: number): number; // $Alert
-  function(x: any): any; // $Alert
+  function(x: string): string; // $ Alert
+  function(x: number): number; // $ Alert
+  function(x: any): any; // $ Alert
 }
 
 abstract class AbstractFoo {
-  abstract new(): void; // $Alert
+  abstract new(): void; // $ Alert
 }
 
 abstract class AbstractFooFunction {
-  abstract function(): number; // $Alert
+  abstract function(): number; // $ Alert
 }
 
 abstract class AbstractFooConstructor {
@@ -90,12 +90,12 @@ abstract class AbstractFooConstructor {
 
 declare module "some-module" {
   interface ModuleInterface {
-    function(): void;  // $Alert
+    function(): void;  // $ Alert
   }
 }
 
 type Intersection = {
-  function(): number; // $Alert
+  function(): number; // $ Alert
 } & {
   other(): string;
 };
@@ -107,13 +107,13 @@ type Union = {
 };
 
 type Union2 = {
-  constructor(): number; // $Alert
+  constructor(): number; // $ Alert
 } | {
   valid(): string;
 };
 
 type Intersection2 = {
-  constructor(): number; // $Alert
+  constructor(): number; // $ Alert
 } & {
   other(): string;
 };

javascript/ql/test/query-tests/Quality/UnhandledErrorInStreamPipeline/test.js

@@ -1,7 +1,7 @@
 function test() {
   {
     const stream = getStream();
-    stream.pipe(destination).on("error", e); // $Alert
+    stream.pipe(destination).on("error", e); // $ Alert
   }
   {
     const stream = getStream();
@@ -16,7 +16,7 @@ function test() {
   {
     const stream = getStream();
     const s2 = stream;
-    s2.pipe(dest).on("error", e); // $Alert
+    s2.pipe(dest).on("error", e); // $ Alert
   }
   {
     const stream = getStream();
@@ -33,7 +33,7 @@ function test() {
   {
     const s = getStream().on('error', handler);
     const d = getDest();
-    s.pipe(d); 
+    s.pipe(d);
   }
   {
     getStream().on('error', handler).pipe(dest);
@@ -42,12 +42,12 @@ function test() {
     const stream = getStream();
     stream.on('error', handleError);
     const stream2 = stream.pipe(destination);
-    stream2.pipe(destination2).on("error", e); // $Alert
+    stream2.pipe(destination2).on("error", e); // $ Alert
   }
   {
     const stream = getStream();
     stream.on('error', handleError);
-    const destination  = getDest();
+    const destination = getDest();
     destination.on('error', handleError);
     const stream2 = stream.pipe(destination);
     const s3 = stream2;
@@ -57,13 +57,13 @@ function test() {
     const stream = getStream();
     stream.on('error', handleError);
     const stream2 = stream.pipe(destination);
-    stream2.pipe(destination2).on("error", e); // $Alert
+    stream2.pipe(destination2).on("error", e); // $ Alert
   }
   { // Error handler on destination instead of source
     const stream = getStream();
     const dest = getDest();
     dest.on('error', handler);
-    stream.pipe(dest).on("error", e); // $Alert
+    stream.pipe(dest).on("error", e); // $ Alert
   }
   { // Multiple aliases, error handler on one
     const stream = getStream();
@@ -76,7 +76,7 @@ function test() {
     const stream = getStream();
     const s2 = stream.pipe(destination1);
     stream.on('error', handleError);
-    s2.pipe(destination2).on("error", e); // $Alert
+    s2.pipe(destination2).on("error", e); // $ Alert
   }
   { // Handler registered via .once
     const stream = getStream();
@@ -91,24 +91,24 @@ function test() {
   { // Handler registered for unrelated event
     const stream = getStream();
     stream.on('close', handleClose);
-    stream.pipe(dest).on("error", e); // $Alert
+    stream.pipe(dest).on("error", e); // $ Alert
   }
   { // Error handler registered after pipe, but before error
     const stream = getStream();
     stream.pipe(dest);
-    setTimeout(() => stream.on('error', handleError), 8000); // $MISSING:Alert
+    setTimeout(() => stream.on('error', handleError), 8000); // $ MISSING:Alert
   }
   { // Pipe in a function, error handler outside
     const stream = getStream();
-    function doPipe(s) { s.pipe(dest); } 
+    function doPipe(s) { s.pipe(dest); }
     stream.on('error', handleError);
     doPipe(stream);
   }
   { // Pipe in a function, error handler not set
     const stream = getStream();
-    function doPipe(s) { 
-      f = s.pipe(dest); // $Alert
-      f.on("error", e); 
+    function doPipe(s) {
+      f = s.pipe(dest); // $ Alert
+      f.on("error", e);
     }
     doPipe(stream);
   }
@@ -116,7 +116,7 @@ function test() {
     const stream = getStream();
     const event = 'error';
     stream.on(event, handleError);
-    stream.pipe(dest).on("error", e);  // $SPURIOUS:Alert
+    stream.pipe(dest).on("error", e);  // $ SPURIOUS:Alert
   }
   { // Handler assigned via variable property
     const stream = getStream();
@@ -125,7 +125,7 @@ function test() {
     stream.pipe(dest);
   }
   { // Pipe with no intermediate variable, no error handler
-    getStream().pipe(dest).on("error", e); // $Alert
+    getStream().pipe(dest).on("error", e); // $ Alert
   }
   { // Handler set via .addListener synonym
     const stream = getStream();
@@ -143,7 +143,7 @@ function test() {
   }
   { // Long chained pipe without error handler
     const stream = getStream();
-    stream.pause().setEncoding('utf8').resume().pipe(writable).on("error", e); // $Alert
+    stream.pause().setEncoding('utf8').resume().pipe(writable).on("error", e); // $ Alert
   }
   { // Long chained pipe without error handler
     const stream = getStream();
@@ -157,13 +157,13 @@ function test() {
     const notStream = getNotAStream();
     const result = notStream.pipe(writable);
     const dealWithResult = (result) => { result.subscribe(); };
-    dealWithResult(result); 
+    dealWithResult(result);
   }
   { // Non-stream with pipe method that returns subscribable object (Streams do not have subscribe method)
     const notStream = getNotAStream();
     const pipeIt = (someVariable) => { return someVariable.pipe(something); };
     let x = pipeIt(notStream);
-    x.subscribe(); 
+    x.subscribe();
   }
   { // Calling custom pipe method with no arguments
     const notStream = getNotAStream();
@@ -179,7 +179,7 @@ function test() {
   }
   { // Member access on a stream after pipe
     const notStream = getNotAStream();
-    const val = notStream.pipe(writable).on("error", e).readable; // $Alert
+    const val = notStream.pipe(writable).on("error", e).readable; // $ Alert
   }
   { // Method access on a non-stream after pipe
     const notStream = getNotAStream();
@@ -189,14 +189,14 @@ function test() {
     const fs = require('fs');
     const stream = fs.createReadStream('file.txt');
     const copyStream = stream;
-    copyStream.pipe(destination).on("error", e); // $Alert
+    copyStream.pipe(destination).on("error", e); // $ Alert
   }
   {
     const notStream = getNotAStream();
     const something = notStream.someNotStreamPropertyAccess;
     const val = notStream.pipe(writable);
   }
-  { 
+  {
     const notStream = getNotAStream();
     const something = notStream.someNotStreamPropertyAccess();
     const val = notStream.pipe(writable);
@@ -207,7 +207,7 @@ function test() {
   }
   {
     const notStream = getNotAStream();
-    notStream.pipe(()=>{});
+    notStream.pipe(() => { });
   }
   {
     const plumber = require('gulp-plumber');
@@ -230,6 +230,6 @@ function test() {
   }
   {
     const notStream = getNotAStream();
-    notStream.pipe(getStream(),()=>{});
+    notStream.pipe(getStream(), () => { });
   }
 }

javascript/ql/test/query-tests/Quality/UnhandledErrorInStreamPipeline/tst.js

@@ -1,11 +1,11 @@
 const fs = require('fs');
 const zlib = require('zlib');
 
-function foo(){
+function foo() {
     const source = fs.createReadStream('input.txt');
     const gzip = zlib.createGzip();
     const destination = fs.createWriteStream('output.txt.gz');
-    source.pipe(gzip).pipe(destination); // $Alert    
+    source.pipe(gzip).pipe(destination); // $ Alert
     gzip.on('error', e);
 }
 class StreamWrapper {
@@ -34,14 +34,14 @@ function zip1() {
 function zip2() {
     const zipStream = createWriteStream(zipPath);
     let wrapper = new StreamWrapper();
-    let outStream = wrapper.outputStream.pipe(zipStream); // $Alert
+    let outStream = wrapper.outputStream.pipe(zipStream); // $ Alert
     outStream.on('error', e);
 }
 
 function zip3() {
     const zipStream = createWriteStream(zipPath);
     let wrapper = new StreamWrapper();
-    wrapper.outputStream.pipe(zipStream); // $Alert
+    wrapper.outputStream.pipe(zipStream); // $ Alert
     zipStream.on('error', e);
 }
 
@@ -49,14 +49,14 @@ function zip3() {
     const zipStream = createWriteStream(zipPath);
     let wrapper = new StreamWrapper();
     let source = getStream();
-    source.pipe(wrapper.outputStream); // $Alert
+    source.pipe(wrapper.outputStream); // $ Alert
     wrapper.outputStream.on('error', e);
 }
 
 function zip4() {
     const zipStream = createWriteStream(zipPath);
     let stream = getStream();
-    let output = stream.pipe(zipStream); // $Alert
+    let output = stream.pipe(zipStream); // $ Alert
     output.on('error', e);
 }
 
@@ -89,7 +89,7 @@ class StreamWrapper3 {
 function zip5() {
     const zipStream = createWriteStream(zipPath);
     let wrapper = new StreamWrapper3();
-    wrapper.pipeIt(zipStream); // $MISSING:Alert
+    wrapper.pipeIt(zipStream); // $ MISSING:Alert
     zipStream.on('error', e);
 }
 function zip6() {
@@ -108,6 +108,6 @@ function zip7() {
     const zipStream = createWriteStream(zipPath);
     let stream = getStream();
     registerErr(stream, e);
-    stream.pipe(zipStream); // $SPURIOUS:Alert
+    stream.pipe(zipStream); // $ SPURIOUS:Alert
     zipStream.on('error', e);
 }

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/execa.js

@@ -3,17 +3,17 @@ import http from 'node:http'
 import url from 'url'
 
 http.createServer(async function (req, res) {
-    let filePath = url.parse(req.url, true).query["filePath"][0]; // $Source
+    let filePath = url.parse(req.url, true).query["filePath"][0]; // $ Source
 
     // Piping to stdin from a file
-    await $({ inputFile: filePath })`cat` // $Alert
+    await $({ inputFile: filePath })`cat` // $ Alert
 
     // Piping to stdin from a file
-    await execa('cat', { inputFile: filePath });  // $Alert
+    await execa('cat', { inputFile: filePath });  // $ Alert
 
     // Piping Stdout to file
-    await execa('echo', ['example3']).pipeStdout(filePath); // $Alert
+    await execa('echo', ['example3']).pipeStdout(filePath); // $ Alert
 
     // Piping all of command output to file
-    await execa('echo', ['example4'], { all: true }).pipeAll(filePath); // $Alert
+    await execa('echo', ['example4'], { all: true }).pipeAll(filePath); // $ Alert
 });

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js

@@ -3,33 +3,33 @@ import http from 'node:http'
 import url from 'url'
 
 http.createServer(async function (req, res) {
-    let cmd = url.parse(req.url, true).query["cmd"][0]; // $Source
-    let arg1 = url.parse(req.url, true).query["arg1"]; // $Source
-    let arg2 = url.parse(req.url, true).query["arg2"]; // $Source
-    let arg3 = url.parse(req.url, true).query["arg3"]; // $Source
+    let cmd = url.parse(req.url, true).query["cmd"][0]; // $ Source
+    let arg1 = url.parse(req.url, true).query["arg1"]; // $ Source
+    let arg2 = url.parse(req.url, true).query["arg2"]; // $ Source
+    let arg3 = url.parse(req.url, true).query["arg3"]; // $ Source
 
-    await $`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    await $`${cmd} ${arg1} ${arg2} ${arg3}`; // $ Alert
     await $`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
-    $({ shell: false }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
-    $({ shell: true }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    $({ shell: false }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $ Alert
+    $({ shell: true }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $ Alert
     $({ shell: false }).sync`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
 
-    $.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    $.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $ Alert
     $.sync`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
-    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
-    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}`; // $ Alert
+    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}`; // $ Alert
     await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
 
-    await execa(cmd, [arg1, arg2, arg3]); // $Alert
-    await execa(cmd, { shell: true }); // $Alert
-    await execa(cmd, [arg1, arg2, arg3], { shell: true }); // $Alert
+    await execa(cmd, [arg1, arg2, arg3]); // $ Alert
+    await execa(cmd, { shell: true }); // $ Alert
+    await execa(cmd, [arg1, arg2, arg3], { shell: true }); // $ Alert
 
-    execaSync(cmd, [arg1, arg2, arg3]); // $Alert
-    execaSync(cmd, [arg1, arg2, arg3], { shell: true }); // $Alert
+    execaSync(cmd, [arg1, arg2, arg3]); // $ Alert
+    execaSync(cmd, [arg1, arg2, arg3], { shell: true }); // $ Alert
 
-    await execaCommand(cmd + arg1 + arg2 + arg3); // $Alert
-    await execaCommand(cmd + arg1 + arg2 + arg3, { shell: true }); // $Alert
+    await execaCommand(cmd + arg1 + arg2 + arg3); // $ Alert
+    await execaCommand(cmd + arg1 + arg2 + arg3, { shell: true }); // $ Alert
 
-    execaCommandSync(cmd + arg1 + arg2 + arg3); // $Alert
-    execaCommandSync(cmd + arg1 + arg2 + arg3, { shell: true }); // $Alert
+    execaCommandSync(cmd + arg1 + arg2 + arg3); // $ Alert
+    execaCommandSync(cmd + arg1 + arg2 + arg3, { shell: true }); // $ Alert
 });

javascript/ql/test/query-tests/Security/CWE-918/serverSide.js

@@ -10,7 +10,7 @@ import url from 'url';
 let XhrIo = goog.require('goog.net.XhrIo');
 let Uri = goog.require('goog.Uri');
 
-var server = http.createServer(function(req, res) {
+var server = http.createServer(function (req, res) {
     var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
 
     request("example.com");
@@ -31,7 +31,7 @@ var server = http.createServer(function(req, res) {
 
     request("http://example.com/?" + tainted);
 
-    http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery]
+    http.get(relativeUrl, { host: tainted }); // $ Alert[js/request-forgery]
 
     XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery]
     new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery]
@@ -54,23 +54,23 @@ var server = http.createServer(function(req, res) {
 })
 
 var CDP = require("chrome-remote-interface");
-var server = http.createServer(async function(req, res) {
+var server = http.createServer(async function (req, res) {
     var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
 
     var client = await CDP(options);
-	client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
-	
-	CDP(options).catch((ignored) => {}).then((client) => {
-		client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
-	})
-	
-	CDP(options, (client) => {
-		client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
-	});
+    client.Page.navigate({ url: tainted }); // $ Alert[js/request-forgery]
+
+    CDP(options).catch((ignored) => { }).then((client) => {
+        client.Page.navigate({ url: tainted }); // $ Alert[js/request-forgery]
+    })
+
+    CDP(options, (client) => {
+        client.Page.navigate({ url: tainted }); // $ Alert[js/request-forgery]
+    });
 })
 
-import {JSDOM} from "jsdom";
-var server = http.createServer(async function(req, res) {
+import { JSDOM } from "jsdom";
+var server = http.createServer(async function (req, res) {
     var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
 
     JSDOM.fromURL(tainted); // $ Alert[js/request-forgery]
@@ -93,8 +93,8 @@ router.get('/', async (ctx, next) => {
 });
 app.use(router.routes());
 
-import {JSDOM} from "jsdom";
-var server = http.createServer(async function(req, res) {
+import { JSDOM } from "jsdom";
+var server = http.createServer(async function (req, res) {
     var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
 
     new WebSocket(tainted); // $ Alert[js/request-forgery]
@@ -103,23 +103,23 @@ var server = http.createServer(async function(req, res) {
 
 import * as ws from 'ws';
 
-new ws.Server({ port: 8080 }).on('connection', function(socket, request) {
-  socket.on('message', function(message) {
-    const url = request.url; // $ Source[js/request-forgery]
-    const socket = new ws(url); // $ Alert[js/request-forgery]
-  });
+new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
+    socket.on('message', function (message) {
+        const url = request.url; // $ Source[js/request-forgery]
+        const socket = new ws(url); // $ Alert[js/request-forgery]
+    });
 });
 
 new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
-  socket.on('message', function (message) {
-    const url = new URL(request.url, base); // $ Source[js/request-forgery]
-    const target = new URL(url.pathname, base);
-    const socket = new ws(url); // $ Alert[js/request-forgery]
-  });
+    socket.on('message', function (message) {
+        const url = new URL(request.url, base); // $ Source[js/request-forgery]
+        const target = new URL(url.pathname, base);
+        const socket = new ws(url); // $ Alert[js/request-forgery]
+    });
 });
 
 
-var server2 = http.createServer(function(req, res) {
+var server2 = http.createServer(function (req, res) {
     var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
 
     axios({
@@ -127,22 +127,22 @@ var server2 = http.createServer(function(req, res) {
         url: tainted // $ Sink[js/request-forgery]
     }) // $ Alert[js/request-forgery]
 
-    var myUrl = `${something}/bla/${tainted}`; 
+    var myUrl = `${something}/bla/${tainted}`;
     axios.get(myUrl); // $ Alert[js/request-forgery]
 
-    var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; 
+    var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`;
     axios.get(myEncodedUrl);
 })
 
-var server2 = http.createServer(function(req, res) {
-  const { URL } = require('url'); 
-  const input = req.query.url; // $Source[js/request-forgery]
-  const target = new URL(input);
-  axios.get(target.toString()); // $Alert[js/request-forgery]
-  axios.get(target); // $Alert[js/request-forgery]
-  axios.get(target.href); // $Alert[js/request-forgery]
-  const encodedUrl = encodeURI(input);
-  axios.get(encodedUrl); // $Alert[js/request-forgery]
-  const escapedUrl = escape(input);
-  axios.get(escapedUrl); // $Alert[js/request-forgery]
+var server2 = http.createServer(function (req, res) {
+    const { URL } = require('url');
+    const input = req.query.url; // $ Source[js/request-forgery]
+    const target = new URL(input);
+    axios.get(target.toString()); // $ Alert[js/request-forgery]
+    axios.get(target); // $ Alert[js/request-forgery]
+    axios.get(target.href); // $ Alert[js/request-forgery]
+    const encodedUrl = encodeURI(input);
+    axios.get(encodedUrl); // $ Alert[js/request-forgery]
+    const escapedUrl = escape(input);
+    axios.get(escapedUrl); // $ Alert[js/request-forgery]
 });

javascript/ql/test/query-tests/Security/CWE-918/serverSide2.js

@@ -6,22 +6,22 @@ const app = express();
 const PORT = 3000;
 
 app.use((req, res, next) => {
-  req.parsedQueryFromParsedUrl = qs.parse(req._parsedUrl.query);  // $Source[js/request-forgery]
-  req.parsedQuery.url = req.url || {}; // $Source[js/request-forgery]
-  req.SomeObject.url = req.url; // $Source[js/request-forgery]
+  req.parsedQueryFromParsedUrl = qs.parse(req._parsedUrl.query);  // $ Source[js/request-forgery]
+  req.parsedQuery.url = req.url || {}; // $ Source[js/request-forgery]
+  req.SomeObject.url = req.url; // $ Source[js/request-forgery]
   next();
 });
 
 app.get('/proxy', async (req, res) => {
-    const targetUrl = req.parsedQuery.url;  
-    const response = await axios.get(targetUrl); // $Alert[js/request-forgery]
+  const targetUrl = req.parsedQuery.url;
+  const response = await axios.get(targetUrl); // $ Alert[js/request-forgery]
 
-    const targetUrl1 = req.parsedQueryFromParsedUrl.url;  
-    const response1 = await axios.get(targetUrl1); // $Alert[js/request-forgery]
- 
-    const targetUrl2 = req.url || {};  // $Source[js/request-forgery]
-    const response2 = await axios.get(targetUrl2);  // $Alert[js/request-forgery]
+  const targetUrl1 = req.parsedQueryFromParsedUrl.url;
+  const response1 = await axios.get(targetUrl1); // $ Alert[js/request-forgery]
 
-    const targetUrl3 = req.SomeObject.url || {};
-    const response3 = await axios.get(targetUrl3);  // $Alert[js/request-forgery]
+  const targetUrl2 = req.url || {};  // $ Source[js/request-forgery]
+  const response2 = await axios.get(targetUrl2);  // $ Alert[js/request-forgery]
+
+  const targetUrl3 = req.SomeObject.url || {};
+  const response3 = await axios.get(targetUrl3);  // $ Alert[js/request-forgery]
 });

javascript/ql/test/query-tests/Statements/LoopIterationSkippedDueToShifting/tst.js

@@ -33,8 +33,8 @@ function decrementAfter(string) {
   let parts = string.split('/');
   for (let i = 0; i < parts.length; ++i) {
     if (parts[i] === 'X') {
-        parts.splice(i, 1);
-        --i;
+      parts.splice(i, 1);
+      --i;
     }
   }
   return parts.join('/');
@@ -44,7 +44,7 @@ function postDecrementArgument(string) {
   let parts = string.split('/');
   for (let i = 0; i < parts.length; ++i) {
     if (parts[i] === 'X') {
-        parts.splice(i--, 1);
+      parts.splice(i--, 1);
     }
   }
   return parts.join('/');
@@ -55,8 +55,8 @@ function breakAfter(string) {
   let parts = string.split('/');
   for (let i = 0; i < parts.length; ++i) {
     if (parts[i] === 'X') {
-        parts.splice(i, 1); // OK - only removes first occurrence
-        break;
+      parts.splice(i, 1); // OK - only removes first occurrence
+      break;
     }
   }
   return parts.join('/');
@@ -66,7 +66,7 @@ function insertNewElements(string) {
   let parts = string.split('/');
   for (let i = 0; i < parts.length; ++i) {
     if (parts[i] === 'X') {
-        parts.splice(i, 1, '.'); // OK - no shifting due to insert
+      parts.splice(i, 1, '.'); // OK - no shifting due to insert
     }
   }
   return parts.join('/');
@@ -89,7 +89,7 @@ function spliceAfterLoopNested(string) {
   for (let j = 0; j < parts.length; ++j) {
     let i = j;
     for (; i < parts.length; ++i) {
-        if (parts[i] === 'X') break;
+      if (parts[i] === 'X') break;
     }
     parts.splice(i, 1); // OK - not inside 'i' loop
   }
@@ -124,10 +124,10 @@ function inspectNextElement(string) {
 
 function withTryCatch(pendingCSS) {
   for (let i = 0; i < pendingCSS.length; ++i) {
-      try {
-          pendingCSS.splice(i, 1); // $ SPURIOUS:Alert
-          i -= 1;
-      } catch (ex) {}
+    try {
+      pendingCSS.splice(i, 1); // $ SPURIOUS:Alert
+      i -= 1;
+    } catch (ex) { }
   }
 }
 
@@ -139,9 +139,9 @@ function andOperand(toc) {
 
 function ifStatement(toc) {
   for (let i = 0; i < toc.length; i++) {
-    if(toc[i].ignoreSubHeading){
-      if(toc.splice(i, 1)){
-        i--; 
+    if (toc[i].ignoreSubHeading) {
+      if (toc.splice(i, 1)) {
+        i--;
       }
     }
   }
@@ -149,8 +149,8 @@ function ifStatement(toc) {
 
 function ifStatement2(toc) {
   for (let i = 0; i < toc.length; i++) {
-    if(toc[i].ignoreSubHeading){
-      if(!toc.splice(i, 1)){ // $Alert
+    if (toc[i].ignoreSubHeading) {
+      if (!toc.splice(i, 1)) { // $ Alert
         i--;
       }
     }