JS: All of TaintedPath

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -242,6 +242,12 @@ module FlowLabel {
    * source, but not necessarily directly derived from it.
    */
   FlowLabel taint() { result = "taint" }
+
+  /**
+   * Gets one of the two standard flow labels, `data` or `taint`, describing values that originate
+   * from a flow source or are derived from a flow source.
+   */
+  FlowLabel dataOrTaint() { result = data() or result = taint() }
 }
 
 /**

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll

@@ -21,6 +21,111 @@ module TaintedPath {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
+  module Label {
+    /**
+     * String indicating if a path is normalized, that is, whether internal `../` components
+     * have been removed.
+     */
+    class Normalization extends string {
+      Normalization() { this = "normalized" or this = "raw" }
+    }
+
+    /**
+     * String indicating if a path is relative or absolute.
+     */
+    class Relativeness extends string {
+      Relativeness() { this = "relative" or this = "absolute" }
+    }
+
+    /**
+     * A flow label representing a Posix path.
+     *
+     * There are currently four flow labels, representing the different combinations of
+     * normalization and absoluteness.
+     */
+    class PosixPath extends DataFlow::FlowLabel {
+      Normalization normalization;
+
+      Relativeness relativeness;
+
+      PosixPath() { this = normalization + "-" + relativeness + "-posix-path" }
+
+      /** Gets a string indicating whether this path is normalized. */
+      Normalization getNormalization() { result = normalization }
+
+      /** Gets a string indicating whether this path is relative. */
+      Relativeness getRelativeness() { result = relativeness }
+
+      /** Holds if this path is normalized. */
+      predicate isNormalized() { normalization = "normalized" }
+
+      /** Holds if this path is not normalized. */
+      predicate isNonNormalized() { normalization = "raw" }
+
+      /** Holds if this path is relative. */
+      predicate isRelative() { relativeness = "relative" }
+
+      /** Holds if this path is relative. */
+      predicate isAbsolute() { relativeness = "absolute" }
+
+      /** Gets the path label with normalized flag set to true. */
+      PosixPath toNormalized() {
+        result.isNormalized() and
+        result.getRelativeness() = this.getRelativeness()
+      }
+
+      /** Gets the path label with normalized flag set to true. */
+      PosixPath toNonNormalized() {
+        result.isNonNormalized() and
+        result.getRelativeness() = this.getRelativeness()
+      }
+
+      /** Gets the path label with absolute flag set to true. */
+      PosixPath toAbsolute() {
+        result.isAbsolute() and
+        result.getNormalization() = this.getNormalization()
+      }
+
+      /** Gets the path label with absolute flag set to true. */
+      PosixPath toRelative() {
+        result.isRelative() and
+        result.getNormalization() = this.getNormalization()
+      }
+
+      /** Holds if this path may contain `../` components. */
+      predicate canContainDotDotSlash() {
+        // Absolute normalized path is the only combination that cannot contain `../`.
+        not (isNormalized() and isAbsolute())
+      }
+    }
+
+    /**
+     * Gets the possible Posix path labels corresponding to `label`.
+     *
+     * A posix path label is just mapped to itself, but `data` and `taint` are assumed
+     * to be fully user-controlled, and thus map to every possible posix path label.
+     */
+    PosixPath toPosixPath(DataFlow::FlowLabel label) {
+      result = label
+      or
+      label = DataFlow::FlowLabel::dataOrTaint()
+    }
+  }
+
+  /** Gets any flow label. */
+  private DataFlow::FlowLabel anyLabel() { any() }
+
+  /**
+   * Maps any label to itself, except `data` which is mapped to `taint`.
+   */
+  private predicate preserveLabel(DataFlow::FlowLabel srclabel, DataFlow::FlowLabel dstlabel) {
+    srclabel != DataFlow::FlowLabel::data() and
+    dstlabel = srclabel
+    or
+    srclabel = DataFlow::FlowLabel::data() and
+    dstlabel = DataFlow::FlowLabel::taint()
+  }
+
   /**
    * A taint-tracking configuration for reasoning about tainted-path vulnerabilities.
    */
@@ -29,7 +134,10 @@ module TaintedPath {
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+      sink instanceof Sink and
+      label = anyLabel()
+    }
 
     override predicate isSanitizer(DataFlow::Node node) {
       super.isSanitizer(node) or
@@ -37,7 +145,362 @@ module TaintedPath {
     }
 
     override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-      guard instanceof StrongPathCheck
+      guard instanceof StartsWithDotDotSanitizer or
+      guard instanceof StartsWithDirSanitizer or
+      guard instanceof IsAbsoluteSanitizer or
+      guard instanceof ContainsDotDotSanitizer
+    }
+
+    override predicate isAdditionalFlowStep(
+      DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
+      DataFlow::FlowLabel dstlabel
+    ) {
+      isTaintedPathStep(src, dst, srclabel, dstlabel)
+      or
+      // Introduce the specialized flow labels when approaching a specialized sanitizer guard.
+      exists(TaintTracking::LabeledSanitizerGuardNode guard, Expr e |
+        guard.sanitizes(_, e, any(Label::PosixPath label)) and
+        src.(DataFlow::SourceNode).flowsToExpr(e) and
+        dst = src and
+        srclabel = DataFlow::FlowLabel::dataOrTaint() and
+        dstlabel instanceof Label::PosixPath
+      )
+      or
+      // Ignore all preliminary sanitization after decoding URI components
+      srclabel instanceof Label::PosixPath and
+      dstlabel = DataFlow::FlowLabel::taint() and
+      (
+        any(UriLibraryStep step).step(src, dst)
+        or
+        exists(DataFlow::CallNode decode |
+          decode.getCalleeName() = "decodeURIComponent" or decode.getCalleeName() = "decodeURI"
+        |
+          src = decode.getArgument(0) and
+          dst = decode
+        )
+      )
+    }
+
+    override predicate isOmittedTaintStep(DataFlow::Node src, DataFlow::Node dst) {
+      isTaintedPathStep(src, dst, _, _)
+    }
+
+    /**
+     * Holds if we should include a step from `src -> dst` with labels `srclabel -> dstlabel`, and the
+     * standard taint step `src -> dst` should be suppresesd.
+     */
+    predicate isTaintedPathStep(
+      DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
+      DataFlow::FlowLabel dstlabel
+    ) {
+      // path.normalize() and similar
+      exists(NormalizingPathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        dstlabel = Label::toPosixPath(srclabel).toNormalized()
+      )
+      or
+      // path.resolve() and similar
+      exists(ResolvingPathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        srclabel = anyLabel() and
+        dstlabel.(Label::PosixPath).isAbsolute() and
+        dstlabel.(Label::PosixPath).isNormalized()
+      )
+      or
+      // path.relative() and similar
+      exists(NormalizingRelativePathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        dstlabel.(Label::PosixPath).isRelative() and
+        dstlabel.(Label::PosixPath).isNormalized()
+      )
+      or
+      // path.dirname() and similar
+      exists(PreservingPathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        preserveLabel(srclabel, dstlabel)
+      )
+      or
+      // path.join()
+      exists(DataFlow::CallNode join, int n |
+        join = DataFlow::moduleMember("path", "join").getACall()
+      |
+        src = join.getArgument(n) and
+        dst = join and
+        (
+          // If the initial argument is tainted, just normalize it. It can be relative or absolute.
+          n = 0 and
+          dstlabel = Label::toPosixPath(srclabel).toNormalized()
+          or
+          // For later arguments, the flow label depends on whether the first argument is absolute or relative.
+          // If in doubt, we assume it is absolute.
+          n > 0 and
+          Label::toPosixPath(srclabel).canContainDotDotSlash() and
+          dstlabel.(Label::PosixPath).isNormalized() and
+          if isRelative(join.getArgument(0).getStringValue())
+          then dstlabel.(Label::PosixPath).isRelative()
+          else dstlabel.(Label::PosixPath).isAbsolute()
+        )
+      )
+      or
+      // String concatenation - behaves like path.join() except without normalization
+      exists(DataFlow::Node operator, int n |
+        StringConcatenation::taintStep(src, dst, operator, n)
+      |
+        // use ordinary taint flow for the first operand
+        n = 0 and
+        preserveLabel(srclabel, dstlabel)
+        or
+        n > 0 and
+        Label::toPosixPath(srclabel).canContainDotDotSlash() and
+        dstlabel.(Label::PosixPath).isNonNormalized() and // The ../ is no longer at the beginning of the string.
+        (
+          if isRelative(StringConcatenation::getOperand(operator, 0).getStringValue())
+          then dstlabel.(Label::PosixPath).isRelative()
+          else dstlabel.(Label::PosixPath).isAbsolute()
+        )
+      )
+    }
+  }
+
+  /**
+   * Holds if `s` is a relative path.
+   */
+  bindingset[s]
+  private predicate isRelative(string s) { not s = "/" + any(string q) }
+
+  /**
+   * A call that normalizes a path.
+   */
+  class NormalizingPathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    NormalizingPathCall() {
+      this = DataFlow::moduleMember("path", "normalize").getACall() and
+      input = getArgument(0) and
+      output = this
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * A call that converts a path to an absolute normalized path.
+   */
+  class ResolvingPathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    ResolvingPathCall() {
+      this = DataFlow::moduleMember("path", "resolve").getACall() and
+      input = getAnArgument() and
+      output = this
+      or
+      this = DataFlow::moduleMember("fs", "realpathSync").getACall() and
+      input = getArgument(0) and
+      output = this
+      or
+      this = DataFlow::moduleMember("fs", "realpath").getACall() and
+      input = getArgument(0) and
+      output = getCallback(1).getParameter(1)
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * A call that normalizes a path and converts it to a relative path.
+   */
+  class NormalizingRelativePathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    NormalizingRelativePathCall() {
+      this = DataFlow::moduleMember("path", "relative").getACall() and
+      input = getAnArgument() and
+      output = this
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * A call that preserves taint without changing the flow label.
+   */
+  class PreservingPathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    PreservingPathCall() {
+      exists(string name | name = "dirname" or name = "toNamespacedPath" |
+        this = DataFlow::moduleMember("path", name).getACall() and
+        input = getAnArgument() and
+        output = this
+      )
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * Holds if `node` is a prefix of the string `../`.
+   */
+  private predicate isDotDotSlashPrefix(DataFlow::Node node) {
+    node.asExpr().getStringValue() + any(string s) = "../"
+    or
+    // ".." + path.sep
+    exists(StringOps::Concatenation conc | node = conc |
+      conc.getOperand(0).asExpr().getStringValue() = ".." and
+      conc.getOperand(1).getALocalSource() = DataFlow::moduleMember("path", "sep") and
+      conc.getNumOperand() = 2
+    )
+  }
+
+  /**
+   * A check of form `x.startsWith("../")` or similar.
+   *
+   * This is relevant for paths that are known to be normalized.
+   */
+  class StartsWithDotDotSanitizer extends TaintTracking::LabeledSanitizerGuardNode {
+    StringOps::StartsWith startsWith;
+
+    StartsWithDotDotSanitizer() {
+      this = startsWith and
+      isDotDotSlashPrefix(startsWith.getSubstring())
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      // Sanitize in the false case for:
+      //   .startsWith(".")
+      //   .startsWith("..")
+      //   .startsWith("../")
+      outcome = startsWith.getPolarity().booleanNot() and
+      e = startsWith.getBaseString().asExpr() and
+      exists(Label::PosixPath posixPath | posixPath = Label::toPosixPath(label) |
+        posixPath.isNormalized() and
+        posixPath.isRelative()
+      )
+    }
+  }
+
+  /**
+   * A check of form `x.startsWith(dir)` that sanitizes normalized absolute paths, since it is then
+   * known to be in a subdirectory of `dir`.
+   */
+  class StartsWithDirSanitizer extends TaintTracking::LabeledSanitizerGuardNode {
+    StringOps::StartsWith startsWith;
+
+    StartsWithDirSanitizer() {
+      this = startsWith and
+      not isDotDotSlashPrefix(startsWith.getSubstring()) and
+      // do not confuse this with a simple isAbsolute() check
+      not startsWith.getSubstring().asExpr().getStringValue() = "/"
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      outcome = startsWith.getPolarity() and
+      e = startsWith.getBaseString().asExpr() and
+      exists(Label::PosixPath posixPath | posixPath = Label::toPosixPath(label) |
+        posixPath.isAbsolute() and
+        posixPath.isNormalized()
+      )
+    }
+  }
+
+  /**
+   * A call to `path.isAbsolute` as a sanitizer for relative paths in true branch,
+   * and a sanitizer for absolute paths in the false branch.
+   */
+  class IsAbsoluteSanitizer extends TaintTracking::LabeledSanitizerGuardNode {
+    DataFlow::Node operand;
+
+    boolean polarity;
+
+    boolean negatable;
+
+    IsAbsoluteSanitizer() {
+      exists(DataFlow::CallNode call | this = call |
+        call = DataFlow::moduleMember("path", "isAbsolute").getACall() and
+        operand = call.getArgument(0) and
+        polarity = true and
+        negatable = true
+      )
+      or
+      exists(StringOps::StartsWith startsWith, string substring | this = startsWith |
+        startsWith.getSubstring().asExpr().getStringValue() = "/" + substring and
+        operand = startsWith.getBaseString() and
+        polarity = startsWith.getPolarity() and
+        if substring = "" then negatable = true else negatable = false
+      ) // !x.startsWith("/home") does not guarantee that x is not absolute
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      e = operand.asExpr() and
+      exists(Label::PosixPath posixPath | posixPath = Label::toPosixPath(label) |
+        outcome = polarity and posixPath.isRelative()
+        or
+        negatable = true and
+        outcome = polarity.booleanNot() and
+        posixPath.isAbsolute()
+      )
+    }
+  }
+
+  /**
+   * An expression of form `x.includes("..")` or similar.
+   */
+  class ContainsDotDotSanitizer extends TaintTracking::LabeledSanitizerGuardNode {
+    StringOps::Includes contains;
+
+    ContainsDotDotSanitizer() {
+      this = contains and
+      isDotDotSlashPrefix(contains.getSubstring())
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      e = contains.getBaseString().asExpr() and
+      outcome = contains.getPolarity().booleanNot() and
+      Label::toPosixPath(label).canContainDotDotSlash() // can still be bypassed by normalized absolute path
     }
   }
 
@@ -71,7 +534,8 @@ module TaintedPath {
         not exists(fs.getRootPathArgument())
         or
         this = fs.getRootPathArgument()
-      )
+      ) and
+      not this = any(ResolvingPathCall call).getInput()
     }
   }
 
@@ -94,59 +558,4 @@ module TaintedPath {
   class AngularJSTemplateUrlSink extends Sink, DataFlow::ValueNode {
     AngularJSTemplateUrlSink() { this = any(AngularJS::CustomDirective d).getMember("templateUrl") }
   }
-
-  /**
-   * Holds if `check` evaluating to `outcome` is not sufficient to sanitize `path`.
-   */
-  predicate weakCheck(Expr check, boolean outcome, VarAccess path) {
-    // `path.startsWith`, `path.endsWith`, `fs.existsSync(path)`
-    exists(Expr base, string m | check.(MethodCallExpr).calls(base, m) |
-      path = base and
-      (m = "startsWith" or m = "endsWith")
-      or
-      path = check.(MethodCallExpr).getArgument(0) and
-      m.regexpMatch("exists(Sync)?")
-    ) and
-    (outcome = true or outcome = false)
-    or
-    // `path.indexOf` comparisons
-    check.(Comparison).getAnOperand().(MethodCallExpr).calls(path, "indexOf") and
-    (outcome = true or outcome = false)
-    or
-    // `path != null`, `path != undefined`, `path != "somestring"`
-    exists(EqualityTest eq, Expr op |
-      eq = check and eq.hasOperands(path, op) and outcome = eq.getPolarity().booleanNot()
-    |
-      op instanceof NullLiteral or
-      op instanceof SyntacticConstants::UndefinedConstant or
-      exists(op.getStringValue())
-    )
-    or
-    // `path`
-    check = path and
-    (outcome = true or outcome = false)
-  }
-
-  /**
-   * A conditional involving the path, that is not considered to be a weak check.
-   */
-  class StrongPathCheck extends TaintTracking::SanitizerGuardNode {
-    VarAccess path;
-
-    boolean sanitizedOutcome;
-
-    StrongPathCheck() {
-      exists(ConditionGuardNode cgg | asExpr() = cgg.getTest() |
-        asExpr() = path.getParentExpr*() and
-        path = any(SsaVariable v).getAUse() and
-        (sanitizedOutcome = true or sanitizedOutcome = false) and
-        not weakCheck(asExpr(), sanitizedOutcome, path)
-      )
-    }
-
-    override predicate sanitizes(boolean outcome, Expr e) {
-      path = e and
-      outcome = sanitizedOutcome
-    }
-  }
 }

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -2,6 +2,10 @@
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
 | addexpr.js:11:15:11:22 | source() | addexpr.js:21:8:21:12 | value |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:22:10:22:10 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
 | callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |

javascript/ql/test/library-tests/TaintTracking/booleanOps.js

@@ -0,0 +1,23 @@
+function test() {
+  let x = source();
+  
+  sink(x); // NOT OK
+  
+  if (x === 'a')
+    sink(x); // OK
+  
+  if (x === 'a' || x === 'b')
+    sink(x); // OK
+  
+  if (x === 'a' || 1 === 1)
+    sink(x); // NOT OK
+
+  if (isSafe(x))
+    sink(x); // OK
+  
+  if (isSafe(x, y) || isSafe(x, z))
+    sink(x); // OK
+  
+  if (isSafe(x) || 1 === 1)
+    sink(x); // NOT OK
+}

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected

@@ -0,0 +1 @@
+| normalizedPaths.js:208:35:208:60 | // OK - ...  anyway | Spurious alert |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql

@@ -0,0 +1,31 @@
+import javascript
+import semmle.javascript.security.dataflow.TaintedPath::TaintedPath
+
+class Assertion extends LineComment {
+  boolean shouldHaveAlert;
+  Assertion() {
+    if getText().matches("%NOT OK%") then
+      shouldHaveAlert = true
+    else
+      (getText().matches("%OK%") and shouldHaveAlert = false)
+  }
+
+  predicate shouldHaveAlert() { shouldHaveAlert = true }
+
+  predicate hasAlert() {
+    exists(Configuration cfg, DataFlow::Node src, DataFlow::Node sink, Location loc |
+      cfg.hasFlow(src, sink) and
+      loc = sink.getAstNode().getLocation() and
+      loc.getFile() = getFile() and
+      loc.getEndLine() = getLocation().getEndLine()
+    )
+  }
+}
+
+from Assertion assertion, string message
+where
+  (assertion.shouldHaveAlert() and not assertion.hasAlert() and message = "Missing alert")
+  or
+  (not assertion.shouldHaveAlert() and assertion.hasAlert() and message = "Spurious alert")
+select
+  assertion, message

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -7,16 +7,43 @@ nodes
 | TaintedPath-es6.js:10:26:10:45 | join("public", path) |
 | TaintedPath-es6.js:10:41:10:44 | path |
 | TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:7:9:48 | path |
 | TaintedPath.js:9:14:9:37 | url.par ... , true) |
 | TaintedPath.js:9:14:9:43 | url.par ... ).query |
 | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path |
 | TaintedPath.js:9:24:9:30 | req.url |
 | TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:12:29:12:32 | path |
 | TaintedPath.js:15:29:15:48 | "/home/user/" + path |
 | TaintedPath.js:15:45:15:48 | path |
+| TaintedPath.js:15:45:15:48 | path |
+| TaintedPath.js:15:45:15:48 | path |
+| TaintedPath.js:15:45:15:48 | path |
 | TaintedPath.js:19:33:19:36 | path |
 | TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:23:33:23:36 | path |
 | TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:45:3:45:44 | path |
 | TaintedPath.js:45:10:45:33 | url.par ... , true) |
@@ -30,10 +57,12 @@ nodes
 | TaintedPath.js:51:29:51:52 | pathMod ... e(path) |
 | TaintedPath.js:51:48:51:51 | path |
 | TaintedPath.js:53:29:53:49 | pathMod ... n(path) |
+| TaintedPath.js:53:29:53:49 | pathMod ... n(path) |
 | TaintedPath.js:53:45:53:48 | path |
 | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) |
 | TaintedPath.js:55:51:55:54 | path |
 | TaintedPath.js:57:29:57:54 | pathMod ... e(path) |
+| TaintedPath.js:57:29:57:54 | pathMod ... e(path) |
 | TaintedPath.js:57:50:57:53 | path |
 | TaintedPath.js:59:29:59:56 | pathMod ... , path) |
 | TaintedPath.js:59:52:59:55 | path |
@@ -69,6 +98,147 @@ nodes
 | TaintedPath.js:110:14:110:17 | path |
 | TaintedPath.js:111:32:111:39 | realpath |
 | TaintedPath.js:112:45:112:52 | realpath |
+| normalizedPaths.js:11:7:11:27 | path |
+| normalizedPaths.js:11:14:11:27 | req.query.path |
+| normalizedPaths.js:13:16:13:19 | path |
+| normalizedPaths.js:14:16:14:26 | './' + path |
+| normalizedPaths.js:14:23:14:26 | path |
+| normalizedPaths.js:15:16:15:19 | path |
+| normalizedPaths.js:15:16:15:35 | path + '/index.html' |
+| normalizedPaths.js:16:16:16:50 | pathMod ... .html') |
+| normalizedPaths.js:16:16:16:50 | pathMod ... .html') |
+| normalizedPaths.js:16:32:16:35 | path |
+| normalizedPaths.js:17:16:17:54 | pathMod ... , path) |
+| normalizedPaths.js:17:50:17:53 | path |
+| normalizedPaths.js:21:7:21:49 | path |
+| normalizedPaths.js:21:7:21:49 | path |
+| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) |
+| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) |
+| normalizedPaths.js:21:35:21:48 | req.query.path |
+| normalizedPaths.js:23:16:23:19 | path |
+| normalizedPaths.js:23:16:23:19 | path |
+| normalizedPaths.js:24:16:24:26 | './' + path |
+| normalizedPaths.js:24:23:24:26 | path |
+| normalizedPaths.js:25:16:25:19 | path |
+| normalizedPaths.js:25:16:25:19 | path |
+| normalizedPaths.js:25:16:25:35 | path + '/index.html' |
+| normalizedPaths.js:25:16:25:35 | path + '/index.html' |
+| normalizedPaths.js:26:16:26:50 | pathMod ... .html') |
+| normalizedPaths.js:26:16:26:50 | pathMod ... .html') |
+| normalizedPaths.js:26:32:26:35 | path |
+| normalizedPaths.js:26:32:26:35 | path |
+| normalizedPaths.js:27:16:27:54 | pathMod ... , path) |
+| normalizedPaths.js:27:50:27:53 | path |
+| normalizedPaths.js:31:7:31:49 | path |
+| normalizedPaths.js:31:14:31:49 | pathMod ... y.path) |
+| normalizedPaths.js:31:35:31:48 | req.query.path |
+| normalizedPaths.js:36:16:36:19 | path |
+| normalizedPaths.js:41:18:41:21 | path |
+| normalizedPaths.js:54:7:54:49 | path |
+| normalizedPaths.js:54:14:54:49 | pathMod ... y.path) |
+| normalizedPaths.js:54:35:54:48 | req.query.path |
+| normalizedPaths.js:59:16:59:19 | path |
+| normalizedPaths.js:63:16:63:19 | path |
+| normalizedPaths.js:63:16:63:35 | path + "/index.html" |
+| normalizedPaths.js:68:18:68:21 | path |
+| normalizedPaths.js:73:7:73:56 | path |
+| normalizedPaths.js:73:14:73:56 | pathMod ... y.path) |
+| normalizedPaths.js:73:35:73:55 | './' +  ... ry.path |
+| normalizedPaths.js:73:42:73:55 | req.query.path |
+| normalizedPaths.js:78:19:78:22 | path |
+| normalizedPaths.js:82:7:82:27 | path |
+| normalizedPaths.js:82:7:82:27 | path |
+| normalizedPaths.js:82:14:82:27 | req.query.path |
+| normalizedPaths.js:82:14:82:27 | req.query.path |
+| normalizedPaths.js:82:14:82:27 | req.query.path |
+| normalizedPaths.js:87:29:87:32 | path |
+| normalizedPaths.js:87:29:87:32 | path |
+| normalizedPaths.js:90:31:90:34 | path |
+| normalizedPaths.js:94:7:94:49 | path |
+| normalizedPaths.js:94:14:94:49 | pathMod ... y.path) |
+| normalizedPaths.js:94:35:94:48 | req.query.path |
+| normalizedPaths.js:99:29:99:32 | path |
+| normalizedPaths.js:117:7:117:44 | path |
+| normalizedPaths.js:117:14:117:44 | fs.real ... y.path) |
+| normalizedPaths.js:117:30:117:43 | req.query.path |
+| normalizedPaths.js:119:16:119:19 | path |
+| normalizedPaths.js:120:16:120:50 | pathMod ... .html') |
+| normalizedPaths.js:120:32:120:35 | path |
+| normalizedPaths.js:130:7:130:49 | path |
+| normalizedPaths.js:130:14:130:49 | pathMod ... y.path) |
+| normalizedPaths.js:130:35:130:48 | req.query.path |
+| normalizedPaths.js:135:18:135:21 | path |
+| normalizedPaths.js:139:7:139:62 | path |
+| normalizedPaths.js:139:14:139:62 | pathMod ... y.path) |
+| normalizedPaths.js:139:48:139:61 | req.query.path |
+| normalizedPaths.js:144:18:144:21 | path |
+| normalizedPaths.js:148:7:148:58 | path |
+| normalizedPaths.js:148:14:148:58 | 'foo/'  ... y.path) |
+| normalizedPaths.js:148:23:148:58 | pathMod ... y.path) |
+| normalizedPaths.js:148:44:148:57 | req.query.path |
+| normalizedPaths.js:151:18:151:21 | path |
+| normalizedPaths.js:153:18:153:21 | path |
+| normalizedPaths.js:160:7:160:49 | path |
+| normalizedPaths.js:160:14:160:49 | pathMod ... y.path) |
+| normalizedPaths.js:160:35:160:48 | req.query.path |
+| normalizedPaths.js:165:16:165:19 | path |
+| normalizedPaths.js:170:18:170:21 | path |
+| normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:187:18:187:21 | path |
+| normalizedPaths.js:187:18:187:21 | path |
+| normalizedPaths.js:189:18:189:21 | path |
+| normalizedPaths.js:189:18:189:21 | path |
+| normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:194:18:194:21 | path |
+| normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:201:7:201:49 | normalizedPath |
+| normalizedPaths.js:201:7:201:49 | normalizedPath |
+| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:205:18:205:31 | normalizedPath |
+| normalizedPaths.js:205:18:205:31 | normalizedPath |
+| normalizedPaths.js:208:18:208:31 | normalizedPath |
+| normalizedPaths.js:208:18:208:31 | normalizedPath |
+| normalizedPaths.js:210:18:210:31 | normalizedPath |
+| normalizedPaths.js:210:18:210:31 | normalizedPath |
+| normalizedPaths.js:214:7:214:49 | path |
+| normalizedPaths.js:214:7:214:49 | path |
+| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) |
+| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) |
+| normalizedPaths.js:214:35:214:48 | req.query.path |
+| normalizedPaths.js:219:3:219:33 | path |
+| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) |
+| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) |
+| normalizedPaths.js:219:29:219:32 | path |
+| normalizedPaths.js:219:29:219:32 | path |
+| normalizedPaths.js:222:18:222:21 | path |
 | tainted-array-steps.js:9:7:9:48 | path |
 | tainted-array-steps.js:9:14:9:37 | url.par ... , true) |
 | tainted-array-steps.js:9:14:9:43 | url.par ... ).query |
@@ -99,59 +269,265 @@ edges
 | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) |
 | TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:9:14:9:37 | url.par ... , true) | TaintedPath.js:9:14:9:43 | url.par ... ).query |
 | TaintedPath.js:9:14:9:43 | url.par ... ).query | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
 | TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
+| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
 | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) |
 | TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path |
+| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path |
+| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path |
+| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path |
 | TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path |
 | TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path |
 | TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path |
 | TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path |
 | TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path |
 | TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path |
 | TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path |
 | TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path |
 | TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path |
 | TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path |
 | TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path |
 | TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path |
 | TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path |
 | TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path |
 | TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path |
 | TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path |
 | TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path |
 | TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path |
 | TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path |
+| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path |
 | TaintedPath.js:45:3:45:44 | path | TaintedPath.js:47:49:47:52 | path |
 | TaintedPath.js:45:3:45:44 | path | TaintedPath.js:49:48:49:51 | path |
@@ -172,8 +548,10 @@ edges
 | TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) |
 | TaintedPath.js:51:48:51:51 | path | TaintedPath.js:51:29:51:52 | pathMod ... e(path) |
 | TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) |
+| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) |
 | TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) |
 | TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) |
+| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) |
 | TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) |
 | TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) |
 | TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) |
@@ -197,6 +575,138 @@ edges
 | TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) |
 | TaintedPath.js:110:14:110:17 | path | TaintedPath.js:111:32:111:39 | realpath |
 | TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath |
+| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:16:13:19 | path |
+| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:14:23:14:26 | path |
+| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:16:15:19 | path |
+| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:32:16:35 | path |
+| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:17:50:17:53 | path |
+| normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path |
+| normalizedPaths.js:14:23:14:26 | path | normalizedPaths.js:14:16:14:26 | './' + path |
+| normalizedPaths.js:15:16:15:19 | path | normalizedPaths.js:15:16:15:35 | path + '/index.html' |
+| normalizedPaths.js:16:32:16:35 | path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') |
+| normalizedPaths.js:16:32:16:35 | path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') |
+| normalizedPaths.js:17:50:17:53 | path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:16:23:19 | path |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:16:23:19 | path |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:24:23:24:26 | path |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:16:25:19 | path |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:16:25:19 | path |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:32:26:35 | path |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:32:26:35 | path |
+| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:27:50:27:53 | path |
+| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | normalizedPaths.js:21:7:21:49 | path |
+| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | normalizedPaths.js:21:7:21:49 | path |
+| normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) |
+| normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) |
+| normalizedPaths.js:24:23:24:26 | path | normalizedPaths.js:24:16:24:26 | './' + path |
+| normalizedPaths.js:25:16:25:19 | path | normalizedPaths.js:25:16:25:35 | path + '/index.html' |
+| normalizedPaths.js:25:16:25:19 | path | normalizedPaths.js:25:16:25:35 | path + '/index.html' |
+| normalizedPaths.js:26:32:26:35 | path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') |
+| normalizedPaths.js:26:32:26:35 | path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') |
+| normalizedPaths.js:27:50:27:53 | path | normalizedPaths.js:27:16:27:54 | pathMod ... , path) |
+| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:36:16:36:19 | path |
+| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:41:18:41:21 | path |
+| normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | normalizedPaths.js:31:7:31:49 | path |
+| normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) |
+| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:59:16:59:19 | path |
+| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:63:16:63:19 | path |
+| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:68:18:68:21 | path |
+| normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | normalizedPaths.js:54:7:54:49 | path |
+| normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) |
+| normalizedPaths.js:63:16:63:19 | path | normalizedPaths.js:63:16:63:35 | path + "/index.html" |
+| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:19:78:22 | path |
+| normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | normalizedPaths.js:73:7:73:56 | path |
+| normalizedPaths.js:73:35:73:55 | './' +  ... ry.path | normalizedPaths.js:73:14:73:56 | pathMod ... y.path) |
+| normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:73:35:73:55 | './' +  ... ry.path |
+| normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:87:29:87:32 | path |
+| normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:87:29:87:32 | path |
+| normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:90:31:90:34 | path |
+| normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:7:82:27 | path |
+| normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:7:82:27 | path |
+| normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:14:82:27 | req.query.path |
+| normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:14:82:27 | req.query.path |
+| normalizedPaths.js:94:7:94:49 | path | normalizedPaths.js:99:29:99:32 | path |
+| normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | normalizedPaths.js:94:7:94:49 | path |
+| normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) |
+| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:16:119:19 | path |
+| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:32:120:35 | path |
+| normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | normalizedPaths.js:117:7:117:44 | path |
+| normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) |
+| normalizedPaths.js:120:32:120:35 | path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') |
+| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:18:135:21 | path |
+| normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | normalizedPaths.js:130:7:130:49 | path |
+| normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) |
+| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:18:144:21 | path |
+| normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | normalizedPaths.js:139:7:139:62 | path |
+| normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) |
+| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:151:18:151:21 | path |
+| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:153:18:153:21 | path |
+| normalizedPaths.js:148:14:148:58 | 'foo/'  ... y.path) | normalizedPaths.js:148:7:148:58 | path |
+| normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | normalizedPaths.js:148:14:148:58 | 'foo/'  ... y.path) |
+| normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) |
+| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:165:16:165:19 | path |
+| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:170:18:170:21 | path |
+| normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | normalizedPaths.js:160:7:160:49 | path |
+| normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:18:187:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:18:187:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:18:189:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:18:189:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:194:18:194:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:14:174:27 | req.query.path |
+| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:18:205:31 | normalizedPath |
+| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:18:205:31 | normalizedPath |
+| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:18:208:31 | normalizedPath |
+| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:18:208:31 | normalizedPath |
+| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:18:210:31 | normalizedPath |
+| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:18:210:31 | normalizedPath |
+| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | normalizedPaths.js:201:7:201:49 | normalizedPath |
+| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | normalizedPaths.js:201:7:201:49 | normalizedPath |
+| normalizedPaths.js:201:45:201:48 | path | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:201:45:201:48 | path | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:201:45:201:48 | path | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:201:45:201:48 | path | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:201:45:201:48 | path | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:201:45:201:48 | path | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) |
+| normalizedPaths.js:214:7:214:49 | path | normalizedPaths.js:219:29:219:32 | path |
+| normalizedPaths.js:214:7:214:49 | path | normalizedPaths.js:219:29:219:32 | path |
+| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | normalizedPaths.js:214:7:214:49 | path |
+| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | normalizedPaths.js:214:7:214:49 | path |
+| normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) |
+| normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) |
+| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:18:222:21 | path |
+| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | normalizedPaths.js:219:3:219:33 | path |
+| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) |
+| normalizedPaths.js:219:29:219:32 | path | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) |
+| normalizedPaths.js:219:29:219:32 | path | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) |
 | tainted-array-steps.js:9:7:9:48 | path | tainted-array-steps.js:11:40:11:43 | path |
 | tainted-array-steps.js:9:7:9:48 | path | tainted-array-steps.js:13:26:13:29 | path |
 | tainted-array-steps.js:9:14:9:37 | url.par ... , true) | tainted-array-steps.js:9:14:9:43 | url.par ... ).query |
@@ -216,17 +726,35 @@ edges
 #select
 | TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on $@. | TaintedPath-es6.js:7:20:7:26 | req.url | a user-provided value |
 | TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
+| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:47:29:47:53 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:47:29:47:53 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:51:29:51:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:51:29:51:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
+| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
+| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:59:29:59:56 | pathMod ... , path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:59:29:59:56 | pathMod ... , path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
@@ -239,6 +767,97 @@ edges
 | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value |
 | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value |
 | TaintedPath.js:112:45:112:52 | realpath | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:112:45:112:52 | realpath | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value |
+| normalizedPaths.js:13:16:13:19 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:16:13:19 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:14:16:14:26 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:16:14:26 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:15:16:15:35 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:17:16:17:54 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:23:16:23:19 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:16:23:19 | path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:23:16:23:19 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:16:23:19 | path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:24:16:24:26 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:16:24:26 | './' + path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:25:16:25:35 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:25:16:25:35 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:27:16:27:54 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:16:27:54 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:36:16:36:19 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:16:36:19 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:41:18:41:21 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:18:41:21 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:59:16:59:19 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:16:59:19 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:63:16:63:35 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:16:63:35 | path + "/index.html" | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:68:18:68:21 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:18:68:21 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:78:19:78:22 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:19:78:22 | path | This path depends on $@. | normalizedPaths.js:73:42:73:55 | req.query.path | a user-provided value |
+| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:90:31:90:34 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:90:31:90:34 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:90:31:90:34 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:90:31:90:34 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:99:29:99:32 | path | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:99:29:99:32 | path | This path depends on $@. | normalizedPaths.js:94:35:94:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:119:16:119:19 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:16:119:19 | path | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value |
+| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value |
+| normalizedPaths.js:135:18:135:21 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:18:135:21 | path | This path depends on $@. | normalizedPaths.js:130:35:130:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:144:18:144:21 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:18:144:21 | path | This path depends on $@. | normalizedPaths.js:139:48:139:61 | req.query.path | a user-provided value |
+| normalizedPaths.js:151:18:151:21 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:18:151:21 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value |
+| normalizedPaths.js:153:18:153:21 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:18:153:21 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value |
+| normalizedPaths.js:165:16:165:19 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:16:165:19 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:170:18:170:21 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:18:170:21 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:187:18:187:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:18:187:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:187:18:187:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:18:187:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:187:18:187:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:18:187:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:187:18:187:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:18:187:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:189:18:189:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:18:189:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:189:18:189:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:18:189:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:189:18:189:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:18:189:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:189:18:189:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:18:189:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:194:18:194:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:18:194:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:194:18:194:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:18:194:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:222:18:222:21 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:18:222:21 | path | This path depends on $@. | normalizedPaths.js:214:35:214:48 | req.query.path | a user-provided value |
 | tainted-array-steps.js:11:29:11:54 | ['publi ... in('/') | tainted-array-steps.js:9:24:9:30 | req.url | tainted-array-steps.js:11:29:11:54 | ['publi ... in('/') | This path depends on $@. | tainted-array-steps.js:9:24:9:30 | req.url | a user-provided value |
 | tainted-array-steps.js:15:29:15:43 | parts.join('/') | tainted-array-steps.js:9:24:9:30 | req.url | tainted-array-steps.js:15:29:15:43 | parts.join('/') | This path depends on $@. | tainted-array-steps.js:9:24:9:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

@@ -0,0 +1,223 @@
+var fs = require('fs'),
+    express = require('express'),
+    url = require('url'),
+    sanitize = require('sanitize-filename'),
+    pathModule = require('path')
+    ;
+
+let app = express();
+
+app.get('/basic', (req, res) => {
+  let path = req.query.path;
+
+  res.sendFile(path); // NOT OK
+  res.sendFile('./' + path); // NOT OK
+  res.sendFile(path + '/index.html'); // NOT OK
+  res.sendFile(pathModule.join(path, 'index.html')); // NOT OK
+  res.sendFile(pathModule.join('/home/user/www', path)); // NOT OK
+});
+
+app.get('/normalize', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+
+  res.sendFile(path); // NOT OK
+  res.sendFile('./' + path); // NOT OK
+  res.sendFile(path + '/index.html'); // NOT OK
+  res.sendFile(pathModule.join(path, 'index.html')); // NOT OK
+  res.sendFile(pathModule.join('/home/user/www', path)); // NOT OK
+});
+
+app.get('/normalize-notAbsolute', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+
+  if (pathModule.isAbsolute(path))
+    return;
+   
+  res.sendFile(path); // NOT OK
+
+  if (!path.startsWith("."))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK - wrong polarity
+  
+  if (!path.startsWith(".."))
+    res.sendFile(path); // OK
+  
+  if (!path.startsWith("../"))
+    res.sendFile(path); // OK
+
+  if (!path.startsWith(".." + pathModule.sep))
+    res.sendFile(path); // OK
+});
+
+app.get('/normalize-noInitialDotDot', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  if (path.startsWith(".."))
+    return;
+
+  res.sendFile(path); // NOT OK - could be absolute
+
+  res.sendFile("./" + path); // OK - coerced to relative
+
+  res.sendFile(path + "/index.html"); // NOT OK - not coerced
+
+  if (!pathModule.isAbsolute(path))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/prepend-normalize', (req, res) => {
+  // Coerce to relative prior to normalization
+  let path = pathModule.normalize('./' + req.query.path);
+
+  if (!path.startsWith(".."))
+    res.sendFile(path); // OK
+  else
+     res.sendFile(path); // NOT OK
+});
+
+app.get('/absolute', (req, res) => {
+  let path = req.query.path;
+  
+  if (!pathModule.isAbsolute(path))
+    return;
+
+  res.write(fs.readFileSync(path)); // NOT OK
+
+  if (path.startsWith('/home/user/www'))
+    res.write(fs.readFileSync(path)); // NOT OK - can still contain '../'
+});
+
+app.get('/normalized-absolute', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  if (!pathModule.isAbsolute(path))
+    return;
+  
+  res.write(fs.readFileSync(path)); // NOT OK
+
+  if (path.startsWith('/home/user/www'))
+    res.write(fs.readFileSync(path)); // OK
+});
+
+app.get('/combined-check', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  // Combined absoluteness and folder check in one startsWith call
+  if (path.startsWith("/home/user/www"))
+    res.sendFile(path); // OK
+
+  if (path[0] !== "/" && path[0] !== ".")
+    res.sendFile(path); // OK
+});
+
+app.get('/realpath', (req, res) => {
+  let path = fs.realpathSync(req.query.path);
+
+  res.sendFile(path); // NOT OK
+  res.sendFile(pathModule.join(path, 'index.html')); // NOT OK
+
+  if (path.startsWith("/home/user/www"))
+    res.sendFile(path); // OK - both absolute and normalized before check
+    
+  res.sendFile(pathModule.join('.', path)); // OK - normalized and coerced to relative
+  res.sendFile(pathModule.join('/home/user/www', path)); // OK
+});
+
+app.get('/coerce-relative', (req, res) => {
+  let path = pathModule.join('.', req.query.path);
+
+  if (!path.startsWith('..'))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/coerce-absolute', (req, res) => {
+  let path = pathModule.join('/home/user/www', req.query.path);
+
+  if (path.startsWith('/home/user/www'))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/concat-after-normalization', (req, res) => {
+  let path = 'foo/' + pathModule.normalize(req.query.path);
+
+  if (!path.startsWith('..'))
+    res.sendFile(path); // NOT OK - prefixing foo/ invalidates check
+  else
+    res.sendFile(path); // NOT OK
+
+  if (!path.includes('..'))
+    res.sendFile(path); // OK
+});
+
+app.get('/noDotDot', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+
+  if (path.includes('..'))
+    return;
+
+  res.sendFile(path); // NOT OK - can still be absolute
+
+  if (!pathModule.isAbsolute(path))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/join-regression', (req, res) => {
+  let path = req.query.path;
+
+  // Regression test for a specific corner case:
+  // Some guard nodes sanitize both branches, but for a different set of flow labels.
+  // Verify that this does not break anything.
+  if (pathModule.isAbsolute(path)) {path;} else {path;}
+  if (path.startsWith('/')) {path;} else {path;}
+  if (path.startsWith('/x')) {path;} else {path;}
+  if (path.startsWith('.')) {path;} else {path;}
+
+  res.sendFile(path); // NOT OK
+
+  if (pathModule.isAbsolute(path))
+    res.sendFile(path); // NOT OK
+  else
+    res.sendFile(path); // NOT OK
+
+  if (path.includes('..'))
+    res.sendFile(path); // NOT OK
+  else
+    res.sendFile(path); // NOT OK
+
+  if (!path.includes('..') && !pathModule.isAbsolute(path))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+
+  let normalizedPath = pathModule.normalize(path);
+  if (normalizedPath.startsWith('/home/user/www'))
+    res.sendFile(normalizedPath); // OK
+  else
+    res.sendFile(normalizedPath); // NOT OK
+
+  if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public'))
+    res.sendFile(normalizedPath); // OK - but flagged anyway
+  else
+    res.sendFile(normalizedPath); // NOT OK
+});
+
+app.get('/decode-after-normalization', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  if (!pathModule.isAbsolute(path) && !path.startsWith('..'))
+    res.sendFile(path); // OK
+
+  path = decodeURIComponent(path);
+
+  if (!pathModule.isAbsolute(path) && !path.startsWith('..'))
+    res.sendFile(path); // NOT OK - not normalized
+});

javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected

@@ -22,6 +22,9 @@
 | (parameter 0 (member sqlInj (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
 | (parameter 0 (member sqlInj (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
 | (parameter 0 (member taintedPath (root https://www.npmjs.com/package/infer-sources))) | data | TaintedPath |
+| (parameter 0 (member taintedPath (root https://www.npmjs.com/package/infer-sources))) | normalized-relative-posix-path | TaintedPath |
+| (parameter 0 (member taintedPath (root https://www.npmjs.com/package/infer-sources))) | raw-absolute-posix-path | TaintedPath |
+| (parameter 0 (member taintedPath (root https://www.npmjs.com/package/infer-sources))) | raw-relative-posix-path | TaintedPath |
 | (parameter 0 (member taintedPath (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedPath |
 | (parameter 0 (member unsafeDes (root https://www.npmjs.com/package/infer-sources))) | data | UnsafeDeserialization |
 | (parameter 0 (member unsafeDes (root https://www.npmjs.com/package/infer-sources))) | taint | UnsafeDeserialization |