Merge branch 'jhelie/add-xss-through-dom' of github.com:github/codeql into jhelie/add-xss-through-dom

2026-05-29 18:41:27 +02:00 · 2022-11-10 16:51:52 +01:00
parent 38430c57a2 98379d3c12
commit 227d6fffa7
422 changed files with 63016 additions and 57917 deletions
--- a/javascript/ql/lib/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -75,6 +75,16 @@ private DataFlow::Node getAValueExportedByPackage() {
    result = getAnExportFromModule(mod)
  )
  or
+  // re-export of a value from another module
+  // `module.exports.foo = require("./other").bar;`
+  // other.js:
+  // `module.exports.bar = function () { ... };`
+  exists(DataFlow::PropRead read, Import imp |
+    read = getAValueExportedByPackage() and
+    read.getBase().getALocalSource() = imp.getImportedModuleNode() and
+    result = imp.getImportedModule().getAnExportedValue(read.getPropertyName())
+  )
+  or
  // require("./other-module.js"); inside an AMD module.
  exists(Module mod, CallExpr call |
    call = getAValueExportedByPackage().asExpr() and
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll
@@ -1,5 +1,5 @@
 /**
- * Module for parsing access paths from CSV models, both the identifying access path used
+ * Module for parsing access paths from MaD models, both the identifying access path used
 * by dynamic languages, and the input/output specifications for summary steps.
 *
 * This file is used by the shared data flow library and by the JavaScript libraries
--- a/javascript/ql/src/change-notes/2022-11-08-yaml-locations.md
+++ b/javascript/ql/src/change-notes/2022-11-08-yaml-locations.md
@@ -0,0 +1,5 @@
+---
+category: fix
+---
+* Fixed an issue with multi-line strings in YAML files being associated with an invalid location,
+  causing alerts related to such strings to appear at the top of the YAML file.
--- a/javascript/ql/test/library-tests/ESLint/ESLintGlobal.expected
+++ b/javascript/ql/test/library-tests/ESLint/ESLintGlobal.expected
@@ -2,10 +2,10 @@
 | sub/.eslintrc.json:2:14:5:3 | {\\n      ... lse\\n  } | aNonWritableGlobal | false | sub/tst.js:1:1:1:15 | aWritableGlobal |
 | sub/.eslintrc.json:2:14:5:3 | {\\n      ... lse\\n  } | aWritableGlobal | true | sub/subsub/tst.js:1:1:1:15 | aWritableGlobal |
 | sub/.eslintrc.json:2:14:5:3 | {\\n      ... lse\\n  } | aWritableGlobal | true | sub/tst.js:1:1:1:15 | aWritableGlobal |
-| sub/.eslintrc.yml:3:5:6:0 | aWritab ... l: true | aNonWritableGlobal | false | sub/subsub/tst.js:1:1:1:15 | aWritableGlobal |
-| sub/.eslintrc.yml:3:5:6:0 | aWritab ... l: true | aNonWritableGlobal | false | sub/tst.js:1:1:1:15 | aWritableGlobal |
-| sub/.eslintrc.yml:3:5:6:0 | aWritab ... l: true | aWritableGlobal | true | sub/subsub/tst.js:1:1:1:15 | aWritableGlobal |
-| sub/.eslintrc.yml:3:5:6:0 | aWritab ... l: true | aWritableGlobal | true | sub/tst.js:1:1:1:15 | aWritableGlobal |
+| sub/.eslintrc.yml:3:5:4:30 | aWritab ... l: true | aNonWritableGlobal | false | sub/subsub/tst.js:1:1:1:15 | aWritableGlobal |
+| sub/.eslintrc.yml:3:5:4:30 | aWritab ... l: true | aNonWritableGlobal | false | sub/tst.js:1:1:1:15 | aWritableGlobal |
+| sub/.eslintrc.yml:3:5:4:30 | aWritab ... l: true | aWritableGlobal | true | sub/subsub/tst.js:1:1:1:15 | aWritableGlobal |
+| sub/.eslintrc.yml:3:5:4:30 | aWritab ... l: true | aWritableGlobal | true | sub/tst.js:1:1:1:15 | aWritableGlobal |
 | sub/package.json:5:20:8:9 | {\\n      ...       } | aNonWritableGlobal | false | sub/subsub/tst.js:1:1:1:15 | aWritableGlobal |
 | sub/package.json:5:20:8:9 | {\\n      ...       } | aNonWritableGlobal | false | sub/tst.js:1:1:1:15 | aWritableGlobal |
 | sub/package.json:5:20:8:9 | {\\n      ...       } | aWritableGlobal | true | sub/subsub/tst.js:1:1:1:15 | aWritableGlobal |
--- a/javascript/ql/test/library-tests/YAML/printAst.expected
+++ b/javascript/ql/test/library-tests/YAML/printAst.expected
@@ -30,7 +30,7 @@ nodes
 | tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | semmle.label | [YamlSequence] - "name ...  Knopf" |
 | tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | semmle.order | 3 |
 | tst.yml:1:3:1:8 | [YamlScalar] "name" | semmle.label | [YamlScalar] "name" |
-| tst.yml:1:3:7:0 | [YamlMapping] "name": "Jim Knopf" | semmle.label | [YamlMapping] "name": "Jim Knopf" |
+| tst.yml:1:3:6:4 | [YamlMapping] "name": "Jim Knopf" | semmle.label | [YamlMapping] "name": "Jim Knopf" |
 | tst.yml:1:11:1:21 | [YamlScalar] "Jim Knopf" | semmle.label | [YamlScalar] "Jim Knopf" |
 | tst.yml:2:3:2:9 | [YamlScalar] address | semmle.label | [YamlScalar] address |
 | tst.yml:2:12:6:3 | [YamlMapping] { | semmle.label | [YamlMapping] { |
@@ -41,12 +41,12 @@ nodes
 | tst.yml:5:5:5:13 | [YamlScalar] "country" | semmle.label | [YamlScalar] "country" |
 | tst.yml:5:16:5:27 | [YamlScalar] "Lummerland" | semmle.label | [YamlScalar] "Lummerland" |
 | tst.yml:7:3:7:6 | [YamlScalar] name | semmle.label | [YamlScalar] name |
-| tst.yml:7:3:14:0 | [YamlMapping] name: Frau Mahlzahn | semmle.label | [YamlMapping] name: Frau Mahlzahn |
+| tst.yml:7:3:13:19 | [YamlMapping] name: Frau Mahlzahn | semmle.label | [YamlMapping] name: Frau Mahlzahn |
 | tst.yml:7:9:7:21 | [YamlScalar] Frau Mahlzahn | semmle.label | [YamlScalar] Frau Mahlzahn |
 | tst.yml:8:3:8:9 | [YamlScalar] address | semmle.label | [YamlScalar] address |
 | tst.yml:9:5:9:10 | [YamlScalar] street | semmle.label | [YamlScalar] street |
-| tst.yml:9:5:14:0 | [YamlMapping] street: \| | semmle.label | [YamlMapping] street: \| |
-| tst.yml:9:13:11:0 | [YamlScalar] \| | semmle.label | [YamlScalar] \| |
+| tst.yml:9:5:13:19 | [YamlMapping] street: \| | semmle.label | [YamlMapping] street: \| |
+| tst.yml:9:13:10:21 | [YamlScalar] \| | semmle.label | [YamlScalar] \| |
 | tst.yml:11:5:11:10 | [YamlScalar] number | semmle.label | [YamlScalar] number |
 | tst.yml:11:13:11:15 | [YamlScalar] 133 | semmle.label | [YamlScalar] 133 |
 | tst.yml:12:5:12:11 | [YamlScalar] country | semmle.label | [YamlScalar] country |
@@ -67,8 +67,8 @@ edges
 | file://:0:0:0:0 | (Mapping 0) street: | tst.yml:3:14:3:13 | [YamlScalar]  | semmle.order | 1 |
 | file://:0:0:0:0 | (Mapping 0) street: | tst.yml:9:5:9:10 | [YamlScalar] street | semmle.label | 0 |
 | file://:0:0:0:0 | (Mapping 0) street: | tst.yml:9:5:9:10 | [YamlScalar] street | semmle.order | 0 |
-| file://:0:0:0:0 | (Mapping 0) street: | tst.yml:9:13:11:0 | [YamlScalar] \| | semmle.label | 1 |
-| file://:0:0:0:0 | (Mapping 0) street: | tst.yml:9:13:11:0 | [YamlScalar] \| | semmle.order | 1 |
+| file://:0:0:0:0 | (Mapping 0) street: | tst.yml:9:13:10:21 | [YamlScalar] \| | semmle.label | 1 |
+| file://:0:0:0:0 | (Mapping 0) street: | tst.yml:9:13:10:21 | [YamlScalar] \| | semmle.order | 1 |
 | file://:0:0:0:0 | (Mapping 0) x: | merge.yaml:1:8:1:8 | [YamlScalar] x | semmle.label | 0 |
 | file://:0:0:0:0 | (Mapping 0) x: | merge.yaml:1:8:1:8 | [YamlScalar] x | semmle.order | 0 |
 | file://:0:0:0:0 | (Mapping 0) x: | merge.yaml:1:11:1:12 | [YamlScalar] 23 | semmle.label | 1 |
@@ -87,8 +87,8 @@ edges
 | file://:0:0:0:0 | (Mapping 1) address: | tst.yml:2:12:6:3 | [YamlMapping] { | semmle.order | 1 |
 | file://:0:0:0:0 | (Mapping 1) address: | tst.yml:8:3:8:9 | [YamlScalar] address | semmle.label | 0 |
 | file://:0:0:0:0 | (Mapping 1) address: | tst.yml:8:3:8:9 | [YamlScalar] address | semmle.order | 0 |
-| file://:0:0:0:0 | (Mapping 1) address: | tst.yml:9:5:14:0 | [YamlMapping] street: \| | semmle.label | 1 |
-| file://:0:0:0:0 | (Mapping 1) address: | tst.yml:9:5:14:0 | [YamlMapping] street: \| | semmle.order | 1 |
+| file://:0:0:0:0 | (Mapping 1) address: | tst.yml:9:5:13:19 | [YamlMapping] street: \| | semmle.label | 1 |
+| file://:0:0:0:0 | (Mapping 1) address: | tst.yml:9:5:13:19 | [YamlMapping] street: \| | semmle.order | 1 |
 | file://:0:0:0:0 | (Mapping 1) number: | tst.yml:4:5:4:12 | [YamlScalar] "number" | semmle.label | 0 |
 | file://:0:0:0:0 | (Mapping 1) number: | tst.yml:4:5:4:12 | [YamlScalar] "number" | semmle.order | 0 |
 | file://:0:0:0:0 | (Mapping 1) number: | tst.yml:4:15:4:16 | [YamlScalar] -1 | semmle.label | 1 |
@@ -121,31 +121,31 @@ edges
 | merge.yaml:2:3:3:8 | [YamlMapping] x: 56 | file://:0:0:0:0 | (Mapping 0) x: | semmle.order | 0 |
 | merge.yaml:2:3:3:8 | [YamlMapping] x: 56 | file://:0:0:0:0 | (Mapping 1) <<: | semmle.label | 1 |
 | merge.yaml:2:3:3:8 | [YamlMapping] x: 56 | file://:0:0:0:0 | (Mapping 1) <<: | semmle.order | 1 |
-| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:1:3:7:0 | [YamlMapping] "name": "Jim Knopf" | semmle.label | 0 |
-| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:1:3:7:0 | [YamlMapping] "name": "Jim Knopf" | semmle.order | 0 |
-| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:7:3:14:0 | [YamlMapping] name: Frau Mahlzahn | semmle.label | 1 |
-| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:7:3:14:0 | [YamlMapping] name: Frau Mahlzahn | semmle.order | 1 |
+| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:1:3:6:4 | [YamlMapping] "name": "Jim Knopf" | semmle.label | 0 |
+| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:1:3:6:4 | [YamlMapping] "name": "Jim Knopf" | semmle.order | 0 |
+| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:7:3:13:19 | [YamlMapping] name: Frau Mahlzahn | semmle.label | 1 |
+| tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:7:3:13:19 | [YamlMapping] name: Frau Mahlzahn | semmle.order | 1 |
 | tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:14:3:14:23 | [YamlScalar] !includ ... nal.yml | semmle.label | 2 |
 | tst.yml:1:1:14:23 | [YamlSequence] - "name ...  Knopf" | tst.yml:14:3:14:23 | [YamlScalar] !includ ... nal.yml | semmle.order | 2 |
-| tst.yml:1:3:7:0 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 0) name: | semmle.label | 0 |
-| tst.yml:1:3:7:0 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 0) name: | semmle.order | 0 |
-| tst.yml:1:3:7:0 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 1) address: | semmle.label | 1 |
-| tst.yml:1:3:7:0 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 1) address: | semmle.order | 1 |
+| tst.yml:1:3:6:4 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 0) name: | semmle.label | 0 |
+| tst.yml:1:3:6:4 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 0) name: | semmle.order | 0 |
+| tst.yml:1:3:6:4 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 1) address: | semmle.label | 1 |
+| tst.yml:1:3:6:4 | [YamlMapping] "name": "Jim Knopf" | file://:0:0:0:0 | (Mapping 1) address: | semmle.order | 1 |
 | tst.yml:2:12:6:3 | [YamlMapping] { | file://:0:0:0:0 | (Mapping 0) street: | semmle.label | 0 |
 | tst.yml:2:12:6:3 | [YamlMapping] { | file://:0:0:0:0 | (Mapping 0) street: | semmle.order | 0 |
 | tst.yml:2:12:6:3 | [YamlMapping] { | file://:0:0:0:0 | (Mapping 1) number: | semmle.label | 1 |
 | tst.yml:2:12:6:3 | [YamlMapping] { | file://:0:0:0:0 | (Mapping 1) number: | semmle.order | 1 |
 | tst.yml:2:12:6:3 | [YamlMapping] { | file://:0:0:0:0 | (Mapping 2) country: | semmle.label | 2 |
 | tst.yml:2:12:6:3 | [YamlMapping] { | file://:0:0:0:0 | (Mapping 2) country: | semmle.order | 2 |
-| tst.yml:7:3:14:0 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 0) name: | semmle.label | 0 |
-| tst.yml:7:3:14:0 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 0) name: | semmle.order | 0 |
-| tst.yml:7:3:14:0 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 1) address: | semmle.label | 1 |
-| tst.yml:7:3:14:0 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 1) address: | semmle.order | 1 |
-| tst.yml:9:5:14:0 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 0) street: | semmle.label | 0 |
-| tst.yml:9:5:14:0 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 0) street: | semmle.order | 0 |
-| tst.yml:9:5:14:0 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 1) number: | semmle.label | 1 |
-| tst.yml:9:5:14:0 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 1) number: | semmle.order | 1 |
-| tst.yml:9:5:14:0 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 2) country: | semmle.label | 2 |
-| tst.yml:9:5:14:0 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 2) country: | semmle.order | 2 |
+| tst.yml:7:3:13:19 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 0) name: | semmle.label | 0 |
+| tst.yml:7:3:13:19 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 0) name: | semmle.order | 0 |
+| tst.yml:7:3:13:19 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 1) address: | semmle.label | 1 |
+| tst.yml:7:3:13:19 | [YamlMapping] name: Frau Mahlzahn | file://:0:0:0:0 | (Mapping 1) address: | semmle.order | 1 |
+| tst.yml:9:5:13:19 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 0) street: | semmle.label | 0 |
+| tst.yml:9:5:13:19 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 0) street: | semmle.order | 0 |
+| tst.yml:9:5:13:19 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 1) number: | semmle.label | 1 |
+| tst.yml:9:5:13:19 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 1) number: | semmle.order | 1 |
+| tst.yml:9:5:13:19 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 2) country: | semmle.label | 2 |
+| tst.yml:9:5:13:19 | [YamlMapping] street: \| | file://:0:0:0:0 | (Mapping 2) country: | semmle.order | 2 |
 graphProperties
 | semmle.graphKind | tree |
--- a/javascript/ql/test/library-tests/YAML/tests.expected
+++ b/javascript/ql/test/library-tests/YAML/tests.expected
@@ -12,16 +12,16 @@ yamlMapping_maps
 | merge.yaml:2:3:3:8 | x: 56 | merge.yaml:1:15:1:15 | y | merge.yaml:1:18:1:19 | 42 |
 | merge.yaml:2:3:3:8 | x: 56 | merge.yaml:2:3:2:3 | x | merge.yaml:2:6:2:7 | 56 |
 | merge.yaml:2:3:3:8 | x: 56 | merge.yaml:3:3:3:4 | << | merge.yaml:1:3:1:21 | &A { x: 23, y: 42 } |
-| tst.yml:1:3:7:0 | "name": "Jim Knopf" | tst.yml:1:3:1:8 | "name" | tst.yml:1:11:1:21 | "Jim Knopf" |
-| tst.yml:1:3:7:0 | "name": "Jim Knopf" | tst.yml:2:3:2:9 | address | tst.yml:2:12:6:3 | { |
+| tst.yml:1:3:6:4 | "name": "Jim Knopf" | tst.yml:1:3:1:8 | "name" | tst.yml:1:11:1:21 | "Jim Knopf" |
+| tst.yml:1:3:6:4 | "name": "Jim Knopf" | tst.yml:2:3:2:9 | address | tst.yml:2:12:6:3 | { |
 | tst.yml:2:12:6:3 | { | tst.yml:3:5:3:12 | "street" | tst.yml:3:14:3:13 |  |
 | tst.yml:2:12:6:3 | { | tst.yml:4:5:4:12 | "number" | tst.yml:4:15:4:16 | -1 |
 | tst.yml:2:12:6:3 | { | tst.yml:5:5:5:13 | "country" | tst.yml:5:16:5:27 | "Lummerland" |
-| tst.yml:7:3:14:0 | name: Frau Mahlzahn | tst.yml:7:3:7:6 | name | tst.yml:7:9:7:21 | Frau Mahlzahn |
-| tst.yml:7:3:14:0 | name: Frau Mahlzahn | tst.yml:8:3:8:9 | address | tst.yml:9:5:14:0 | street: \| |
-| tst.yml:9:5:14:0 | street: \| | tst.yml:9:5:9:10 | street | tst.yml:9:13:11:0 | \| |
-| tst.yml:9:5:14:0 | street: \| | tst.yml:11:5:11:10 | number | tst.yml:11:13:11:15 | 133 |
-| tst.yml:9:5:14:0 | street: \| | tst.yml:12:5:12:11 | country | tst.yml:12:14:13:18 | < |
+| tst.yml:7:3:13:19 | name: Frau Mahlzahn | tst.yml:7:3:7:6 | name | tst.yml:7:9:7:21 | Frau Mahlzahn |
+| tst.yml:7:3:13:19 | name: Frau Mahlzahn | tst.yml:8:3:8:9 | address | tst.yml:9:5:13:19 | street: \| |
+| tst.yml:9:5:13:19 | street: \| | tst.yml:9:5:9:10 | street | tst.yml:9:13:10:21 | \| |
+| tst.yml:9:5:13:19 | street: \| | tst.yml:11:5:11:10 | number | tst.yml:11:13:11:15 | 133 |
+| tst.yml:9:5:13:19 | street: \| | tst.yml:12:5:12:11 | country | tst.yml:12:14:13:18 | < |
 yamlNode
 | external.yml:1:1:1:2 | 42 | tag:yaml.org,2002:int |
 | merge.yaml:1:1:3:8 | - &A {  ... y: 42 } | tag:yaml.org,2002:seq |
@@ -37,7 +37,7 @@ yamlNode
 | merge.yaml:3:7:3:8 | *A |  |
 | tst.yml:1:1:14:23 | - "name ...  Knopf" | tag:yaml.org,2002:seq |
 | tst.yml:1:3:1:8 | "name" | tag:yaml.org,2002:str |
-| tst.yml:1:3:7:0 | "name": "Jim Knopf" | tag:yaml.org,2002:map |
+| tst.yml:1:3:6:4 | "name": "Jim Knopf" | tag:yaml.org,2002:map |
 | tst.yml:1:11:1:21 | "Jim Knopf" | tag:yaml.org,2002:str |
 | tst.yml:2:3:2:9 | address | tag:yaml.org,2002:str |
 | tst.yml:2:12:6:3 | { | tag:yaml.org,2002:map |
@@ -48,12 +48,12 @@ yamlNode
 | tst.yml:5:5:5:13 | "country" | tag:yaml.org,2002:str |
 | tst.yml:5:16:5:27 | "Lummerland" | tag:yaml.org,2002:str |
 | tst.yml:7:3:7:6 | name | tag:yaml.org,2002:str |
-| tst.yml:7:3:14:0 | name: Frau Mahlzahn | tag:yaml.org,2002:map |
+| tst.yml:7:3:13:19 | name: Frau Mahlzahn | tag:yaml.org,2002:map |
 | tst.yml:7:9:7:21 | Frau Mahlzahn | tag:yaml.org,2002:str |
 | tst.yml:8:3:8:9 | address | tag:yaml.org,2002:str |
 | tst.yml:9:5:9:10 | street | tag:yaml.org,2002:str |
-| tst.yml:9:5:14:0 | street: \| | tag:yaml.org,2002:map |
-| tst.yml:9:13:11:0 | \| | tag:yaml.org,2002:str |
+| tst.yml:9:5:13:19 | street: \| | tag:yaml.org,2002:map |
+| tst.yml:9:13:10:21 | \| | tag:yaml.org,2002:str |
 | tst.yml:11:5:11:10 | number | tag:yaml.org,2002:str |
 | tst.yml:11:13:11:15 | 133 | tag:yaml.org,2002:int |
 | tst.yml:12:5:12:11 | country | tag:yaml.org,2002:str |
@@ -81,7 +81,7 @@ yamlScalar
 | tst.yml:7:9:7:21 | Frau Mahlzahn |  | Frau Mahlzahn |
 | tst.yml:8:3:8:9 | address |  | address |
 | tst.yml:9:5:9:10 | street |  | street |
-| tst.yml:9:13:11:0 | \| | \| | Alte Strasse\n |
+| tst.yml:9:13:10:21 | \| | \| | Alte Strasse\n |
 | tst.yml:11:5:11:10 | number |  | number |
 | tst.yml:11:13:11:15 | 133 |  | 133 |
 | tst.yml:12:5:12:11 | country |  | country |
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml
@@ -2,6 +2,12 @@ on: issue_comment

 jobs:
  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        echo '${{ github.event.comment.body }}'
+
+  echo-chamber2:
    runs-on: ubuntu-latest
    steps:
    - run: |
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue_newline.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue_newline.yml
@@ -0,0 +1,10 @@
+on: issue_comment
+
+# same as comment_issue but this file ends with a line break
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo '${{ github.event.comment.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.expected
@@ -1 +1,3 @@
-| .github/workflows/comment_issue.yml:7:12:8:47 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/comment_issue.yml:13:12:14:47 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -117,6 +117,12 @@ nodes
 | lib.js:128:9:128:20 | obj[path[0]] |
 | lib.js:128:13:128:16 | path |
 | lib.js:128:13:128:19 | path[0] |
+| sublib/other.js:5:28:5:31 | path |
+| sublib/other.js:5:28:5:31 | path |
+| sublib/other.js:6:7:6:18 | obj[path[0]] |
+| sublib/other.js:6:7:6:18 | obj[path[0]] |
+| sublib/other.js:6:11:6:14 | path |
+| sublib/other.js:6:11:6:17 | path[0] |
 | sublib/sub.js:1:37:1:40 | path |
 | sublib/sub.js:1:37:1:40 | path |
 | sublib/sub.js:2:3:2:14 | obj[path[0]] |
@@ -289,6 +295,11 @@ edges
 | lib.js:128:13:128:16 | path | lib.js:128:13:128:19 | path[0] |
 | lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
 | lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
+| sublib/other.js:5:28:5:31 | path | sublib/other.js:6:11:6:14 | path |
+| sublib/other.js:5:28:5:31 | path | sublib/other.js:6:11:6:14 | path |
+| sublib/other.js:6:11:6:14 | path | sublib/other.js:6:11:6:17 | path[0] |
+| sublib/other.js:6:11:6:17 | path[0] | sublib/other.js:6:7:6:18 | obj[path[0]] |
+| sublib/other.js:6:11:6:17 | path[0] | sublib/other.js:6:7:6:18 | obj[path[0]] |
 | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:7:2:10 | path |
 | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:7:2:10 | path |
 | sublib/sub.js:2:7:2:10 | path | sublib/sub.js:2:7:2:13 | path[0] |
@@ -356,6 +367,7 @@ edges
 | lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:21 | arguments | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:21 | arguments | library input |
 | lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input |
 | lib.js:128:9:128:20 | obj[path[0]] | lib.js:127:14:127:17 | path | lib.js:128:9:128:20 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:127:14:127:17 | path | library input |
+| sublib/other.js:6:7:6:18 | obj[path[0]] | sublib/other.js:5:28:5:31 | path | sublib/other.js:6:7:6:18 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/other.js:5:28:5:31 | path | library input |
 | sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input |
 | tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |
 | tst.js:9:5:9:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:9:5:9:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js
@@ -0,0 +1,15 @@
+(function () {
+  function Foobar() {}
+
+  Foobar.prototype = {
+    method: function (obj, path, value) {
+      obj[path[0]][path[1]] = value; // NOT OK
+    },
+  };
+
+  module.exports.foobar = Foobar;
+
+  module.other.notExported = function (obj, path, value) {
+    obj[path[0]][path[1]] = value; // OK - not exported
+  }
+})();
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js
@@ -1,3 +1,6 @@
 module.exports.set = function (obj, path, value) {
  obj[path[0]][path[1]] = value; // NOT OK
-}
+}
+
+var other = require('./other')
+exports.foobar = other.foobar;