hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into restify_improvements

Browse Source
This commit is contained in:
Alvaro Muñoz
2022-10-19 21:57:37 +02:00
committed by GitHub
parent 976dd7f99f 534574f4d9
commit 2ad5a70cf1
1814 changed files with 39023 additions and 61680 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll
View File

@@ -151,7 +151,7 @@ private int getMaxChars() { result = 1000000 }
*/
string getBodyTokensFeature(Function function) {
// Performance optimization: If a function has more than 256 body subtokens, then featurize it as
// absent. This approximates the behavior of the classifer on non-generic body features where
// absent. This approximates the behavior of the classifier on non-generic body features where
// large body features are replaced by the absent token.
//
// We count nodes instead of tokens because tokens are often not unique.

2
javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-experimental-atm-lib
version: 0.3.4
version: 0.3.6
extractor: javascript
library: true
groups:

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/codeql-pack.lock.yml
View File

@@ -1,6 +1,6 @@
---
dependencies:
codeql/javascript-experimental-atm-model:
version: 0.2.0
version: 0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d
compiled: false
lockVersion: 1.0.0

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountNosqlInjection.ql
View File

@@ -2,7 +2,7 @@
* For internal use only.
*
*
* Count the number of sinks and alerts for the `NosqlInection` security query.
* Count the number of sinks and alerts for the `NosqlInjection` security query.
*/
import semmle.javascript.security.dataflow.NosqlInjectionQuery

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountSqlInjection.ql
View File

@@ -2,7 +2,7 @@
* For internal use only.
*
*
* Count the number of sinks and alerts for the `SqlInection` security query.
* Count the number of sinks and alerts for the `SqlInjection` security query.
*/
import semmle.javascript.security.dataflow.SqlInjectionQuery

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjection.ql
View File

@@ -1,25 +0,0 @@
/**
* NosqlInjection.ql
*
* Version of the standard NoSQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof NosqlInjection::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

28
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATM.ql
View File

@@ -1,28 +0,0 @@
/**
* NosqlInjectionATM.ql
*
* Version of the boosted NoSQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.NosqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATMLite.ql
View File

@@ -1,29 +0,0 @@
/**
* NosqlInjectionATMLite.ql
*
* Arbitrarily ranked version of the boosted NoSQL injection query with an output relation ready to
* plug into the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint
* filters, and (b) as a baseline to compare the model against.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.NosqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/SqlInjection.ql
View File

@@ -1,25 +0,0 @@
/**
* SqlInjection.ql
*
* Version of the standard SQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof SqlInjection::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

28
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/SqlInjectionATM.ql
View File

@@ -1,28 +0,0 @@
/**
* SqlInjectionATM.ql
*
* Version of the boosted SQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.SqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/SqlInjectionATMLite.ql
View File

@@ -1,29 +0,0 @@
/**
* SqlInjectionATMLite.ql
*
* Arbitrarily ranked version of the boosted SQL injection query with an output relation ready to
* plug into the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint
* filters, and (b) as a baseline to compare the model against.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.SqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/TaintedPath.ql
View File

@@ -1,25 +0,0 @@
/**
* TaintedPath.ql
*
* Version of the standard path injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.TaintedPathQuery as TaintedPath
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof TaintedPath::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

28
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/TaintedPathATM.ql
View File

@@ -1,28 +0,0 @@
/**
* TaintedPathATM.ql
*
* Version of the boosted path injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.TaintedPathATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/TaintedPathATMLite.ql
View File

@@ -1,29 +0,0 @@
/**
* TaintedPathATMLite.ql
*
* Arbitrarily ranked version of the boosted path injection query with an output relation ready to
* plug into the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint
* filters, and (b) as a baseline to compare the model against.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.TaintedPathATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/Xss.ql
View File

@@ -1,25 +0,0 @@
/**
* Xss.ql
*
* Version of the standard XSS query with an output relation ready to plug into the evaluation
* pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof DomBasedXss::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssATM.ql
View File

@@ -1,29 +0,0 @@
/**
* XssATM.ql
*
* Version of the boosted XSS query with an output relation ready to plug into the evaluation
* pipeline.
*/
import javascript
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.XssATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

30
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssATMLite.ql
View File

@@ -1,30 +0,0 @@
/**
* XssATMLite.ql
*
* Arbitrarily ranked version of the boosted XSS query with an output relation ready to plug into
* the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint filters,
* and (b) as a baseline to compare the model against.
*/
import javascript
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.XssATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointDataEvaluation.ql
View File

@@ -1,25 +0,0 @@
/*
* For internal use only.
*
* Extracts evaluation data we can use to evaluate ML models for ML-powered queries.
*/
import javascript
import ExtractEndpointData as ExtractEndpointData
query predicate endpoints(
DataFlow::Node endpoint, string queryName, string key, string value, string valueType
) {
ExtractEndpointData::endpoints(endpoint, queryName, key, value, valueType) and
// only select endpoints that are either Sink, NotASink or Unknown
ExtractEndpointData::endpoints(endpoint, queryName, "sinkLabel", ["Sink", "NotASink", "Unknown"],
"string") and
// do not select endpoints filtered out by end-to-end evaluation
ExtractEndpointData::endpoints(endpoint, queryName, "isExcludedFromEndToEndEvaluation", "false",
"boolean")
}
query predicate tokenFeatures(DataFlow::Node endpoint, string featureName, string featureValue) {
endpoints(endpoint, _, _, _, _) and
ExtractEndpointData::tokenFeatures(endpoint, featureName, featureValue)
}

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml
View File

@@ -6,4 +6,4 @@ groups:
- experimental
dependencies:
codeql/javascript-experimental-atm-lib: "*"
codeql/javascript-experimental-atm-model: "0.2.0"
codeql/javascript-experimental-atm-model: "0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d"

2
javascript/ql/experimental/adaptivethreatmodeling/src/codeql-pack.lock.yml
View File

@@ -1,6 +1,6 @@
---
dependencies:
codeql/javascript-experimental-atm-model:
version: 0.2.0
version: 0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d
compiled: false
lockVersion: 1.0.0

4
javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml
View File

@@ -1,6 +1,6 @@
name: codeql/javascript-experimental-atm-queries
language: javascript
version: 0.3.4
version: 0.3.6
suites: codeql-suites
defaultSuiteFile: codeql-suites/javascript-atm-code-scanning.qls
groups:
@@ -8,4 +8,4 @@ groups:
- experimental
dependencies:
codeql/javascript-experimental-atm-lib: "*"
codeql/javascript-experimental-atm-model: "0.2.0"
codeql/javascript-experimental-atm-model: "0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d"

2
javascript/ql/experimental/adaptivethreatmodeling/test/codeql-pack.lock.yml
View File

@@ -1,6 +1,6 @@
---
dependencies:
codeql/javascript-experimental-atm-model:
version: 0.2.0
version: 0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d
compiled: false
lockVersion: 1.0.0

49956
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataEvaluation.expected
View File

File diff suppressed because it is too large Load Diff

1
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataEvaluation.qlref
View File

@@ -1 +0,0 @@
extraction/ExtractEndpointDataEvaluation.ql

530
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_unit_tests/ExtractEndpointDataEvaluation.expected
View File

@@ -1,530 +0,0 @@
endpoints
| index.js:1:25:1:33 | "express" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:1:25:1:33 | "express" | TaintedPath | isConstantExpression | true | boolean |
| index.js:1:25:1:33 | "express" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:1:25:1:33 | "express" | TaintedPath | sinkLabel | Sink | string |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | isConstantExpression | true | boolean |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | sinkLabel | Sink | string |
| index.js:3:29:3:34 | 'User' | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | NosqlInjection | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | NosqlInjection | sinkLabel | Unknown | string |
| index.js:3:29:3:34 | 'User' | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | SqlInjection | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | SqlInjection | sinkLabel | Unknown | string |
| index.js:3:29:3:34 | 'User' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | TaintedPath | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | TaintedPath | sinkLabel | Unknown | string |
| index.js:3:29:3:34 | 'User' | Xss | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | Xss | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | Xss | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | NosqlInjection | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | NosqlInjection | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | SqlInjection | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | SqlInjection | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | TaintedPath | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | TaintedPath | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | Xss | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | Xss | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | Xss | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | Xss | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | Xss | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | Xss | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | sinkLabel | Unknown | string |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | hasFlowFromSource | true | boolean |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | sinkLabel | Sink | string |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | hasFlowFromSource | true | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | isConstantExpression | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | sinkLabel | Unknown | string |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | hasFlowFromSource | true | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | isConstantExpression | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | sinkLabel | Unknown | string |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | hasFlowFromSource | true | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | isConstantExpression | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | Xss | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | Xss | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | Xss | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | sinkLabel | Unknown | string |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | sinkLabel | NotASink | string |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | sinkLabel | Sink | string |
| index.js:20:26:20:29 | true | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:20:26:20:29 | true | SqlInjection | isConstantExpression | true | boolean |
| index.js:20:26:20:29 | true | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:26:20:29 | true | SqlInjection | sinkLabel | Unknown | string |
| index.js:20:26:20:29 | true | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:20:26:20:29 | true | TaintedPath | isConstantExpression | true | boolean |
| index.js:20:26:20:29 | true | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:26:20:29 | true | TaintedPath | sinkLabel | Unknown | string |
| index.js:20:26:20:29 | true | Xss | hasFlowFromSource | false | boolean |
| index.js:20:26:20:29 | true | Xss | isConstantExpression | true | boolean |
| index.js:20:26:20:29 | true | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:26:20:29 | true | Xss | sinkLabel | Unknown | string |
| index.js:24:13:24:22 | "constant" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:24:13:24:22 | "constant" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:24:13:24:22 | "constant" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:24:13:24:22 | "constant" | NosqlInjection | sinkLabel | Sink | string |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | isConstantExpression | false | boolean |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | sinkLabel | Sink | string |
| index.js:32:15:32:24 | "someData" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | NosqlInjection | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | NosqlInjection | sinkLabel | NotASink | string |
| index.js:32:15:32:24 | "someData" | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | SqlInjection | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | SqlInjection | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | SqlInjection | sinkLabel | NotASink | string |
| index.js:32:15:32:24 | "someData" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | TaintedPath | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | TaintedPath | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | TaintedPath | sinkLabel | NotASink | string |
| index.js:32:15:32:24 | "someData" | Xss | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | Xss | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | Xss | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | Xss | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | NosqlInjection | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | NosqlInjection | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | NosqlInjection | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | SqlInjection | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | SqlInjection | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | SqlInjection | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | SqlInjection | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | TaintedPath | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | TaintedPath | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | TaintedPath | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | TaintedPath | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | Xss | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | Xss | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | Xss | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | Xss | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | Xss | sinkLabel | NotASink | string |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | sinkLabel | Sink | string |
| index.js:78:30:78:39 | "someData" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | NosqlInjection | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | NosqlInjection | sinkLabel | NotASink | string |
| index.js:78:30:78:39 | "someData" | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | SqlInjection | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | SqlInjection | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | SqlInjection | sinkLabel | NotASink | string |
| index.js:78:30:78:39 | "someData" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | TaintedPath | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | TaintedPath | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | TaintedPath | sinkLabel | NotASink | string |
| index.js:78:30:78:39 | "someData" | Xss | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | Xss | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | Xss | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | Xss | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | SqlInjection | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | TaintedPath | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | TaintedPath | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | TaintedPath | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | Xss | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | Xss | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | Xss | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | Xss | sinkLabel | NotASink | string |
tokenFeatures
| index.js:1:25:1:33 | "express" | CalleeFlexibleAccessPath | require |
| index.js:1:25:1:33 | "express" | InputAccessPathFromCallee | |
| index.js:1:25:1:33 | "express" | InputArgumentIndex | 0 |
| index.js:1:25:1:33 | "express" | assignedToPropName | |
| index.js:1:25:1:33 | "express" | calleeImports | |
| index.js:1:25:1:33 | "express" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:1:25:1:33 | "express" | contextSurroundingFunctionParameters | |
| index.js:1:25:1:33 | "express" | enclosingFunctionBody | |
| index.js:1:25:1:33 | "express" | enclosingFunctionName | |
| index.js:1:25:1:33 | "express" | fileImports | express mongoose |
| index.js:1:25:1:33 | "express" | receiverName | |
| index.js:1:25:1:33 | "express" | stringConcatenatedWith | |
| index.js:2:26:2:35 | 'mongoose' | CalleeFlexibleAccessPath | require |
| index.js:2:26:2:35 | 'mongoose' | InputAccessPathFromCallee | |
| index.js:2:26:2:35 | 'mongoose' | InputArgumentIndex | 0 |
| index.js:2:26:2:35 | 'mongoose' | assignedToPropName | |
| index.js:2:26:2:35 | 'mongoose' | calleeImports | |
| index.js:2:26:2:35 | 'mongoose' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:2:26:2:35 | 'mongoose' | contextSurroundingFunctionParameters | |
| index.js:2:26:2:35 | 'mongoose' | enclosingFunctionBody | |
| index.js:2:26:2:35 | 'mongoose' | enclosingFunctionName | |
| index.js:2:26:2:35 | 'mongoose' | fileImports | express mongoose |
| index.js:2:26:2:35 | 'mongoose' | receiverName | |
| index.js:2:26:2:35 | 'mongoose' | stringConcatenatedWith | |
| index.js:3:29:3:34 | 'User' | CalleeFlexibleAccessPath | mongoose.model |
| index.js:3:29:3:34 | 'User' | InputAccessPathFromCallee | |
| index.js:3:29:3:34 | 'User' | InputArgumentIndex | 0 |
| index.js:3:29:3:34 | 'User' | assignedToPropName | |
| index.js:3:29:3:34 | 'User' | calleeImports | mongoose |
| index.js:3:29:3:34 | 'User' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:3:29:3:34 | 'User' | contextSurroundingFunctionParameters | |
| index.js:3:29:3:34 | 'User' | enclosingFunctionBody | |
| index.js:3:29:3:34 | 'User' | enclosingFunctionName | |
| index.js:3:29:3:34 | 'User' | fileImports | express mongoose |
| index.js:3:29:3:34 | 'User' | receiverName | mongoose |
| index.js:3:29:3:34 | 'User' | stringConcatenatedWith | |
| index.js:3:37:3:40 | null | CalleeFlexibleAccessPath | mongoose.model |
| index.js:3:37:3:40 | null | InputAccessPathFromCallee | |
| index.js:3:37:3:40 | null | InputArgumentIndex | 1 |
| index.js:3:37:3:40 | null | assignedToPropName | |
| index.js:3:37:3:40 | null | calleeImports | mongoose |
| index.js:3:37:3:40 | null | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:3:37:3:40 | null | contextSurroundingFunctionParameters | |
| index.js:3:37:3:40 | null | enclosingFunctionBody | |
| index.js:3:37:3:40 | null | enclosingFunctionName | |
| index.js:3:37:3:40 | null | fileImports | express mongoose |
| index.js:3:37:3:40 | null | receiverName | mongoose |
| index.js:3:37:3:40 | null | stringConcatenatedWith | |
| index.js:8:12:8:21 | '/isAdmin' | CalleeFlexibleAccessPath | app.post |
| index.js:8:12:8:21 | '/isAdmin' | InputAccessPathFromCallee | |
| index.js:8:12:8:21 | '/isAdmin' | InputArgumentIndex | 0 |
| index.js:8:12:8:21 | '/isAdmin' | assignedToPropName | |
| index.js:8:12:8:21 | '/isAdmin' | calleeImports | express |
| index.js:8:12:8:21 | '/isAdmin' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:8:12:8:21 | '/isAdmin' | contextSurroundingFunctionParameters | () |
| index.js:8:12:8:21 | '/isAdmin' | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:8:12:8:21 | '/isAdmin' | enclosingFunctionName | flowFromSourceToSink |
| index.js:8:12:8:21 | '/isAdmin' | fileImports | express mongoose |
| index.js:8:12:8:21 | '/isAdmin' | receiverName | app |
| index.js:8:12:8:21 | '/isAdmin' | stringConcatenatedWith | |
| index.js:8:24:10:3 | (req, r ... });\\n } | CalleeFlexibleAccessPath | app.post |
| index.js:8:24:10:3 | (req, r ... });\\n } | InputAccessPathFromCallee | |
| index.js:8:24:10:3 | (req, r ... });\\n } | InputArgumentIndex | 1 |
| index.js:8:24:10:3 | (req, r ... });\\n } | assignedToPropName | |
| index.js:8:24:10:3 | (req, r ... });\\n } | calleeImports | express |
| index.js:8:24:10:3 | (req, r ... });\\n } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:8:24:10:3 | (req, r ... });\\n } | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:8:24:10:3 | (req, r ... });\\n } | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:8:24:10:3 | (req, r ... });\\n } | enclosingFunctionName | flowFromSourceToSink |
| index.js:8:24:10:3 | (req, r ... });\\n } | fileImports | express mongoose |
| index.js:8:24:10:3 | (req, r ... });\\n } | receiverName | app |
| index.js:8:24:10:3 | (req, r ... });\\n } | stringConcatenatedWith | |
| index.js:9:15:9:45 | { 'isAd ... Admin } | CalleeFlexibleAccessPath | User.find |
| index.js:9:15:9:45 | { 'isAd ... Admin } | InputAccessPathFromCallee | |
| index.js:9:15:9:45 | { 'isAd ... Admin } | InputArgumentIndex | 0 |
| index.js:9:15:9:45 | { 'isAd ... Admin } | assignedToPropName | |
| index.js:9:15:9:45 | { 'isAd ... Admin } | calleeImports | mongoose |
| index.js:9:15:9:45 | { 'isAd ... Admin } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:9:15:9:45 | { 'isAd ... Admin } | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:9:15:9:45 | { 'isAd ... Admin } | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:9:15:9:45 | { 'isAd ... Admin } | enclosingFunctionName | flowFromSourceToSink |
| index.js:9:15:9:45 | { 'isAd ... Admin } | fileImports | express mongoose |
| index.js:9:15:9:45 | { 'isAd ... Admin } | receiverName | User |
| index.js:9:15:9:45 | { 'isAd ... Admin } | stringConcatenatedWith | |
| index.js:9:28:9:43 | req.body.isAdmin | CalleeFlexibleAccessPath | User.find |
| index.js:9:28:9:43 | req.body.isAdmin | InputAccessPathFromCallee | 0.isAdmin |
| index.js:9:28:9:43 | req.body.isAdmin | InputArgumentIndex | 0 |
| index.js:9:28:9:43 | req.body.isAdmin | assignedToPropName | isAdmin |
| index.js:9:28:9:43 | req.body.isAdmin | calleeImports | mongoose |
| index.js:9:28:9:43 | req.body.isAdmin | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:9:28:9:43 | req.body.isAdmin | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:9:28:9:43 | req.body.isAdmin | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:9:28:9:43 | req.body.isAdmin | enclosingFunctionName | flowFromSourceToSink |
| index.js:9:28:9:43 | req.body.isAdmin | fileImports | express mongoose |
| index.js:9:28:9:43 | req.body.isAdmin | receiverName | |
| index.js:9:28:9:43 | req.body.isAdmin | stringConcatenatedWith | |
| index.js:14:12:14:21 | '/isAdmin' | CalleeFlexibleAccessPath | app.post |
| index.js:14:12:14:21 | '/isAdmin' | InputAccessPathFromCallee | |
| index.js:14:12:14:21 | '/isAdmin' | InputArgumentIndex | 0 |
| index.js:14:12:14:21 | '/isAdmin' | assignedToPropName | |
| index.js:14:12:14:21 | '/isAdmin' | calleeImports | express |
| index.js:14:12:14:21 | '/isAdmin' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:14:12:14:21 | '/isAdmin' | contextSurroundingFunctionParameters | () |
| index.js:14:12:14:21 | '/isAdmin' | enclosingFunctionBody | app post /isAdmin req res console log req body isAdmin |
| index.js:14:12:14:21 | '/isAdmin' | enclosingFunctionName | flowFromSourceToNotASink |
| index.js:14:12:14:21 | '/isAdmin' | fileImports | express mongoose |
| index.js:14:12:14:21 | '/isAdmin' | receiverName | app |
| index.js:14:12:14:21 | '/isAdmin' | stringConcatenatedWith | |
| index.js:14:24:16:3 | (req, r ... n);\\n } | CalleeFlexibleAccessPath | app.post |
| index.js:14:24:16:3 | (req, r ... n);\\n } | InputAccessPathFromCallee | |
| index.js:14:24:16:3 | (req, r ... n);\\n } | InputArgumentIndex | 1 |
| index.js:14:24:16:3 | (req, r ... n);\\n } | assignedToPropName | |
| index.js:14:24:16:3 | (req, r ... n);\\n } | calleeImports | express |
| index.js:14:24:16:3 | (req, r ... n);\\n } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:14:24:16:3 | (req, r ... n);\\n } | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:14:24:16:3 | (req, r ... n);\\n } | enclosingFunctionBody | app post /isAdmin req res console log req body isAdmin |
| index.js:14:24:16:3 | (req, r ... n);\\n } | enclosingFunctionName | flowFromSourceToNotASink |
| index.js:14:24:16:3 | (req, r ... n);\\n } | fileImports | express mongoose |
| index.js:14:24:16:3 | (req, r ... n);\\n } | receiverName | app |
| index.js:14:24:16:3 | (req, r ... n);\\n } | stringConcatenatedWith | |
| index.js:15:17:15:32 | req.body.isAdmin | CalleeFlexibleAccessPath | console.log |
| index.js:15:17:15:32 | req.body.isAdmin | InputAccessPathFromCallee | |
| index.js:15:17:15:32 | req.body.isAdmin | InputArgumentIndex | 0 |
| index.js:15:17:15:32 | req.body.isAdmin | assignedToPropName | |
| index.js:15:17:15:32 | req.body.isAdmin | calleeImports | |
| index.js:15:17:15:32 | req.body.isAdmin | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:15:17:15:32 | req.body.isAdmin | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:15:17:15:32 | req.body.isAdmin | enclosingFunctionBody | app post /isAdmin req res console log req body isAdmin |
| index.js:15:17:15:32 | req.body.isAdmin | enclosingFunctionName | flowFromSourceToNotASink |
| index.js:15:17:15:32 | req.body.isAdmin | fileImports | express mongoose |
| index.js:15:17:15:32 | req.body.isAdmin | receiverName | console |
| index.js:15:17:15:32 | req.body.isAdmin | stringConcatenatedWith | |
| index.js:20:13:20:31 | { 'isAdmin': true } | CalleeFlexibleAccessPath | User.find |
| index.js:20:13:20:31 | { 'isAdmin': true } | InputAccessPathFromCallee | |
| index.js:20:13:20:31 | { 'isAdmin': true } | InputArgumentIndex | 0 |
| index.js:20:13:20:31 | { 'isAdmin': true } | assignedToPropName | |
| index.js:20:13:20:31 | { 'isAdmin': true } | calleeImports | mongoose |
| index.js:20:13:20:31 | { 'isAdmin': true } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:20:13:20:31 | { 'isAdmin': true } | contextSurroundingFunctionParameters | () |
| index.js:20:13:20:31 | { 'isAdmin': true } | enclosingFunctionBody | User find isAdmin true |
| index.js:20:13:20:31 | { 'isAdmin': true } | enclosingFunctionName | notFlowFromSource |
| index.js:20:13:20:31 | { 'isAdmin': true } | fileImports | express mongoose |
| index.js:20:13:20:31 | { 'isAdmin': true } | receiverName | User |
| index.js:20:13:20:31 | { 'isAdmin': true } | stringConcatenatedWith | |
| index.js:20:26:20:29 | true | CalleeFlexibleAccessPath | User.find |
| index.js:20:26:20:29 | true | InputAccessPathFromCallee | 0.isAdmin |
| index.js:20:26:20:29 | true | InputArgumentIndex | 0 |
| index.js:20:26:20:29 | true | assignedToPropName | isAdmin |
| index.js:20:26:20:29 | true | calleeImports | mongoose |
| index.js:20:26:20:29 | true | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:20:26:20:29 | true | contextSurroundingFunctionParameters | () |
| index.js:20:26:20:29 | true | enclosingFunctionBody | User find isAdmin true |
| index.js:20:26:20:29 | true | enclosingFunctionName | notFlowFromSource |
| index.js:20:26:20:29 | true | fileImports | express mongoose |
| index.js:20:26:20:29 | true | receiverName | |
| index.js:20:26:20:29 | true | stringConcatenatedWith | |
| index.js:24:13:24:22 | "constant" | CalleeFlexibleAccessPath | User.find |
| index.js:24:13:24:22 | "constant" | InputAccessPathFromCallee | |
| index.js:24:13:24:22 | "constant" | InputArgumentIndex | 0 |
| index.js:24:13:24:22 | "constant" | assignedToPropName | |
| index.js:24:13:24:22 | "constant" | calleeImports | mongoose |
| index.js:24:13:24:22 | "constant" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:24:13:24:22 | "constant" | contextSurroundingFunctionParameters | () |
| index.js:24:13:24:22 | "constant" | enclosingFunctionBody | User find constant |
| index.js:24:13:24:22 | "constant" | enclosingFunctionName | constantExpression |
| index.js:24:13:24:22 | "constant" | fileImports | express mongoose |
| index.js:24:13:24:22 | "constant" | receiverName | User |
| index.js:24:13:24:22 | "constant" | stringConcatenatedWith | |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | CalleeFlexibleAccessPath | User.find |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | InputAccessPathFromCallee | |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | InputArgumentIndex | 0 |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | assignedToPropName | |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | calleeImports | mongoose |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | contextSurroundingFunctionParameters | () |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | enclosingFunctionBody | User find UNDEFINED_GLOBAL |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | enclosingFunctionName | notConstantExpression |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | fileImports | express mongoose |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | receiverName | User |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | stringConcatenatedWith | |
| index.js:32:15:32:24 | "someData" | CalleeFlexibleAccessPath | console.log |
| index.js:32:15:32:24 | "someData" | InputAccessPathFromCallee | |
| index.js:32:15:32:24 | "someData" | InputArgumentIndex | 0 |
| index.js:32:15:32:24 | "someData" | assignedToPropName | |
| index.js:32:15:32:24 | "someData" | calleeImports | |
| index.js:32:15:32:24 | "someData" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:32:15:32:24 | "someData" | contextSurroundingFunctionParameters | () |
| index.js:32:15:32:24 | "someData" | enclosingFunctionBody | console log someData |
| index.js:32:15:32:24 | "someData" | enclosingFunctionName | notASink |
| index.js:32:15:32:24 | "someData" | fileImports | express mongoose |
| index.js:32:15:32:24 | "someData" | receiverName | console |
| index.js:32:15:32:24 | "someData" | stringConcatenatedWith | |
| index.js:36:20:36:22 | "a" | CalleeFlexibleAccessPath | ?.startsWith |
| index.js:36:20:36:22 | "a" | InputAccessPathFromCallee | |
| index.js:36:20:36:22 | "a" | InputArgumentIndex | 0 |
| index.js:36:20:36:22 | "a" | assignedToPropName | |
| index.js:36:20:36:22 | "a" | calleeImports | |
| index.js:36:20:36:22 | "a" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:36:20:36:22 | "a" | contextSurroundingFunctionParameters | () |
| index.js:36:20:36:22 | "a" | enclosingFunctionBody | abc startsWith a |
| index.js:36:20:36:22 | "a" | enclosingFunctionName | notASinkMultipleReasons |
| index.js:36:20:36:22 | "a" | fileImports | express mongoose |
| index.js:36:20:36:22 | "a" | receiverName | |
| index.js:36:20:36:22 | "a" | stringConcatenatedWith | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | CalleeFlexibleAccessPath | User.find |
| index.js:41:13:68:61 | "a" + " ... " + "a" | InputAccessPathFromCallee | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | InputArgumentIndex | 0 |
| index.js:41:13:68:61 | "a" + " ... " + "a" | assignedToPropName | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | calleeImports | mongoose |
| index.js:41:13:68:61 | "a" + " ... " + "a" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:41:13:68:61 | "a" + " ... " + "a" | contextSurroundingFunctionParameters | () |
| index.js:41:13:68:61 | "a" + " ... " + "a" | enclosingFunctionBody | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | enclosingFunctionName | veryLongFunctionBody |
| index.js:41:13:68:61 | "a" + " ... " + "a" | fileImports | express mongoose |
| index.js:41:13:68:61 | "a" + " ... " + "a" | receiverName | User |
| index.js:41:13:68:61 | "a" + " ... " + "a" | stringConcatenatedWith | |
| index.js:78:30:78:39 | "someData" | CalleeFlexibleAccessPath | console.log |
| index.js:78:30:78:39 | "someData" | InputAccessPathFromCallee | |
| index.js:78:30:78:39 | "someData" | InputArgumentIndex | 0 |
| index.js:78:30:78:39 | "someData" | assignedToPropName | |
| index.js:78:30:78:39 | "someData" | calleeImports | |
| index.js:78:30:78:39 | "someData" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:78:30:78:39 | "someData" | contextSurroundingFunctionParameters | () |
| index.js:78:30:78:39 | "someData" | enclosingFunctionBody | console log someData |
| index.js:78:30:78:39 | "someData" | enclosingFunctionName | identity#functionalargument |
| index.js:78:30:78:39 | "someData" | fileImports | express mongoose |
| index.js:78:30:78:39 | "someData" | receiverName | console |
| index.js:78:30:78:39 | "someData" | stringConcatenatedWith | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | CalleeFlexibleAccessPath | $.ajax |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | InputAccessPathFromCallee | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | InputArgumentIndex | 0 |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | assignedToPropName | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | calleeImports | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | contextSurroundingFunctionParameters | (foo) |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | enclosingFunctionBody | foo $ ajax url foo bar |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | enclosingFunctionName | effectiveSinkAndNotASink |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | fileImports | express mongoose |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | receiverName | $ |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | stringConcatenatedWith | |
| index.js:84:12:84:18 | foo.bar | CalleeFlexibleAccessPath | $.ajax |
| index.js:84:12:84:18 | foo.bar | InputAccessPathFromCallee | 0.url |
| index.js:84:12:84:18 | foo.bar | InputArgumentIndex | 0 |
| index.js:84:12:84:18 | foo.bar | assignedToPropName | url |
| index.js:84:12:84:18 | foo.bar | calleeImports | |
| index.js:84:12:84:18 | foo.bar | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:84:12:84:18 | foo.bar | contextSurroundingFunctionParameters | (foo) |
| index.js:84:12:84:18 | foo.bar | enclosingFunctionBody | foo $ ajax url foo bar |
| index.js:84:12:84:18 | foo.bar | enclosingFunctionName | effectiveSinkAndNotASink |
| index.js:84:12:84:18 | foo.bar | fileImports | express mongoose |
| index.js:84:12:84:18 | foo.bar | receiverName | |
| index.js:84:12:84:18 | foo.bar | stringConcatenatedWith | |

1
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_unit_tests/ExtractEndpointDataEvaluation.qlref
View File

@@ -1 +0,0 @@
extraction/ExtractEndpointDataEvaluation.ql

7
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.3.1
### Minor Analysis Improvements
- Several of the SQL and NoSQL library models have improved, leading to more results for the `js/sql-injection` query,
and in some cases the `js/missing-rate-limiting` query.
## 0.3.0
### Breaking Changes

6
javascript/ql/lib/change-notes/2022-09-06-type-defs-squashed.md → javascript/ql/lib/change-notes/released/0.3.1.md
View File

@@ -1,6 +1,6 @@
---
category: minorAnalysis
---
## 0.3.1
### Minor Analysis Improvements
- Several of the SQL and NoSQL library models have improved, leading to more results for the `js/sql-injection` query,
and in some cases the `js/missing-rate-limiting` query.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.3.1-dev
version: 0.3.2-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

2
javascript/ql/lib/semmle/javascript/PrintAst.qll
View File

@@ -161,7 +161,7 @@ private module PrintJavaScript {
/**
* A print node representing an `ASTNode`.
*
* Provides a default implemention that works for some (but not all) ASTNode's.
* Provides a default implementation that works for some (but not all) ASTNode's.
* More specific subclasses can override this class to get more specific behavior.
*
* The more specific subclasses are mostly used aggregate the children of the `ASTNode`.

20
javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -711,13 +711,31 @@ module TaintTracking {
}
}
/**
* Gets a local source of any part of the input to the given stringification `call`.
*/
pragma[nomagic]
private DataFlow::Node getAJsonLocalInput(JsonStringifyCall call) {
result = call.getInput()
or
exists(DataFlow::SourceNode source |
source = pragma[only_bind_out](getAJsonLocalInput(call)).getALocalSource()
|
result = source.getAPropertyWrite().getRhs()
or
result = source.(DataFlow::ObjectLiteralNode).getASpreadProperty()
or
result = source.(DataFlow::ArrayCreationNode).getASpreadArgument()
)
}
/**
* A taint propagating data flow edge arising from JSON unparsing.
*/
private class JsonStringifyTaintStep extends SharedTaintStep {
override predicate serializeStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(JsonStringifyCall call |
pred = call.getArgument(0) and
pred = getAJsonLocalInput(call) and
succ = call
)
}

2
javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -671,7 +671,7 @@ module ClientRequest {
}
/**
* Gets the response type corresponding to `getReponse()` but not
* Gets the response type corresponding to `getResponse()` but not
* for explicitly typed calls like `getResponseJson()`.
*/
string getAssignedResponseType() {

2
javascript/ql/lib/semmle/javascript/frameworks/Immutable.qll
View File

@@ -7,7 +7,7 @@ import javascript
/**
* Provides classes implementing data-flow for Immutable.
*
* The implemention rely on the flowsteps implemented in `Collections.qll`.
* The implementation rely on the flowsteps implemented in `Collections.qll`.
*/
private module Immutable {
/**

4
javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll
View File

@@ -1,5 +1,5 @@
/**
* Provides precicates for reasoning about bad tag filter vulnerabilities.
* Provides predicates for reasoning about bad tag filter vulnerabilities.
*/
import regexp.RegexpMatching
@@ -65,7 +65,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
regexp.matches("<!-- foo --!>") and
exists(int a, int b | a != b |
regexp.fillsCaptureGroup("<!-- foo -->", a) and
// <!-- foo --> might be ambigously parsed (matching both capture groups), and that is ok here.
// <!-- foo --> might be ambiguously parsed (matching both capture groups), and that is ok here.
regexp.fillsCaptureGroup("<!-- foo --!>", b) and
not regexp.fillsCaptureGroup("<!-- foo --!>", a) and
msg =

47
javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
View File

@@ -25,13 +25,13 @@ module ReflectedXss {
* is to prevent us from flagging plain-text or JSON responses as vulnerable.
*/
class HttpResponseSink extends Sink instanceof Http::ResponseSendArgument {
HttpResponseSink() { not exists(getANonHtmlHeaderDefinition(this)) }
HttpResponseSink() { not exists(getAXssSafeHeaderDefinition(this)) }
}
/**
* Gets a HeaderDefinition that defines a non-html content-type for `send`.
* DEPRECATED: Gets a HeaderDefinition that defines a non-html content-type for `send`.
*/
Http::HeaderDefinition getANonHtmlHeaderDefinition(Http::ResponseSendArgument send) {
deprecated Http::HeaderDefinition getANonHtmlHeaderDefinition(Http::ResponseSendArgument send) {
exists(Http::RouteHandler h |
send.getRouteHandler() = h and
result = nonHtmlContentTypeHeader(h)
@@ -42,13 +42,49 @@ module ReflectedXss {
}
/**
* Holds if `h` may send a response with a content type other than HTML.
* DEPRECATED: Holds if `h` may send a response with a content type other than HTML.
*/
Http::HeaderDefinition nonHtmlContentTypeHeader(Http::RouteHandler h) {
deprecated Http::HeaderDefinition nonHtmlContentTypeHeader(Http::RouteHandler h) {
result = h.getAResponseHeader("content-type") and
not exists(string tp | result.defines("content-type", tp) | tp.regexpMatch("(?i).*html.*"))
}
/**
* Gets a HeaderDefinition that defines a XSS safe content-type for `send`.
*/
Http::HeaderDefinition getAXssSafeHeaderDefinition(Http::ResponseSendArgument send) {
exists(Http::RouteHandler h |
send.getRouteHandler() = h and
result = xssSafeContentTypeHeader(h)
|
// The HeaderDefinition affects a response sent at `send`.
headerAffects(result, send)
)
}
/**
* Gets a content-type that may lead to javascript code being executed in the browser.
* ref: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#content-types
*/
string xssUnsafeContentType() {
result =
[
"text/html", "application/xhtml+xml", "application/xml", "text/xml", "image/svg+xml",
"text/xsl", "application/vnd.wap.xhtml+xml", "text/rdf", "application/rdf+xml",
"application/mathml+xml", "text/vtt", "text/cache-manifest"
]
}
/**
* Holds if `h` may send a response with a content type that is safe for XSS.
*/
Http::HeaderDefinition xssSafeContentTypeHeader(Http::RouteHandler h) {
result = h.getAResponseHeader("content-type") and
not exists(string tp | result.defines("content-type", tp) |
tp.toLowerCase().matches(xssUnsafeContentType() + "%")
)
}
/**
* Holds if a header set in `header` is likely to affect a response sent at `sender`.
*/
@@ -61,6 +97,7 @@ module ReflectedXss {
// There is no dominating header, and `header` is non-local.
not isLocalHeaderDefinition(header) and
not exists(Http::HeaderDefinition dominatingHeader |
dominatingHeader.getAHeaderName() = "content-type" and
dominatingHeader.getBasicBlock().(ReachableBasicBlock).dominates(sender.getBasicBlock())
)
)

2
javascript/ql/lib/semmle/javascript/security/regexp/ExponentialBackTracking.qll
View File

@@ -202,7 +202,7 @@ private predicate isFork(State q, InputSymbol s1, InputSymbol s2, State r1, Stat
//
// We additionally require that the there exists another InfiniteRepetitionQuantifier `mid` on the path from `q` to itself.
// This is done to avoid flagging regular expressions such as `/(a?)*b/` - that only has polynomial runtime, and is detected by `js/polynomial-redos`.
// The below code is therefore a heuritic, that only flags regular expressions such as `/(a*)*b/`,
// The below code is therefore a heuristic, that only flags regular expressions such as `/(a*)*b/`,
// and does not flag regular expressions such as `/(a?b?)c/`, but the latter pattern is not used frequently.
r1 = r2 and
q1 = q2 and

17
javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll
View File

@@ -59,8 +59,8 @@ predicate matchesEpsilon(RegExpTerm t) {
/**
* A lookahead/lookbehind that matches the empty string.
*/
class EmptyPositiveSubPatttern extends RegExpSubPattern {
EmptyPositiveSubPatttern() {
class EmptyPositiveSubPattern extends RegExpSubPattern {
EmptyPositiveSubPattern() {
(
this instanceof RegExpPositiveLookahead
or
@@ -70,6 +70,9 @@ class EmptyPositiveSubPatttern extends RegExpSubPattern {
}
}
/** DEPRECATED: Use `EmptyPositiveSubPattern` instead. */
deprecated class EmptyPositiveSubPatttern = EmptyPositiveSubPattern;
/**
* A branch in a disjunction that is the root node in a literal, or a literal
* whose root node is not a disjunction.
@@ -133,7 +136,7 @@ private predicate isCanonicalTerm(RelevantRegExpTerm term, string str) {
}
/**
* Gets a string reperesentation of the flags used with the regular expression.
* Gets a string representation of the flags used with the regular expression.
* Only the flags that are relevant for the canonicalization are included.
*/
string getCanonicalizationFlags(RegExpTerm root) {
@@ -334,7 +337,7 @@ private module CharacterClasses {
)
}
private string lowercaseLetter() { result = "abdcefghijklmnopqrstuvwxyz".charAt(_) }
private string lowercaseLetter() { result = "abcdefghijklmnopqrstuvwxyz".charAt(_) }
private string upperCaseLetter() { result = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".charAt(_) }
@@ -697,9 +700,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
lbl = Epsilon() and q2 = Accept(getRoot(dollar))
)
or
exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
lbl = Epsilon() and q2 = after(empty)
)
exists(EmptyPositiveSubPattern empty | q1 = before(empty) | lbl = Epsilon() and q2 = after(empty))
}
/**
@@ -1028,7 +1029,7 @@ module ReDoSPruning<isCandidateSig/2 isCandidate> {
* as the suffix "X" will cause both the regular expressions to be rejected.
*
* The string `w` is repeated any number of times because it needs to be
* infinitely repeatedable for the attack to work.
* infinitely repeatable for the attack to work.
* For the regular expression `/((ab)+)*abab/` the accepting state is not reachable from the fork
* using epsilon transitions. But any attempt at repeating `w` will end in a state that accepts all suffixes.
*/

6
javascript/ql/lib/semmle/javascript/security/regexp/NfaUtilsSpecific.qll
View File

@@ -5,7 +5,7 @@
import javascript
/**
* Holds if `term` is an ecape class representing e.g. `\d`.
* Holds if `term` is an escape class representing e.g. `\d`.
* `clazz` is which character class it represents, e.g. "d" for `\d`.
*/
predicate isEscapeClass(RegExpTerm term, string clazz) {
@@ -20,13 +20,13 @@ predicate isPossessive(RegExpQuantifier term) { none() }
/**
* Holds if the regex that `term` is part of is used in a way that ignores any leading prefix of the input it's matched against.
* Not yet implemented for Javascript.
* Not yet implemented for JavaScript.
*/
predicate matchesAnyPrefix(RegExpTerm term) { any() }
/**
* Holds if the regex that `term` is part of is used in a way that ignores any trailing suffix of the input it's matched against.
* Not yet implemented for Javascript.
* Not yet implemented for JavaScript.
*/
predicate matchesAnySuffix(RegExpTerm term) { any() }

2
javascript/ql/lib/semmle/javascript/security/regexp/RegexpMatching.qll
View File

@@ -1,5 +1,5 @@
/**
* Provides precicates for reasoning about which strings are matched by a regular expression,
* Provides predicates for reasoning about which strings are matched by a regular expression,
* and for testing which capture groups are filled when a particular regexp matches a string.
*/

2
javascript/ql/lib/semmle/javascript/security/regexp/SuperlinearBackTracking.qll
View File

@@ -76,7 +76,7 @@ class StateTuple extends TStateTuple {
StateTuple() { this = MkStateTuple(q1, q2, q3) }
/**
* Gest a string repesentation of this tuple.
* Gest a string representation of this tuple.
*/
string toString() { result = "(" + q1 + ", " + q2 + ", " + q3 + ")" }

6
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.1
No user-facing changes.
## 0.4.0
### Minor Analysis Improvements
@@ -119,7 +123,7 @@
### New Queries
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitary code execution.
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution.
The query is not run by default.
* A new query `js/file-system-race` has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
* A new query `js/jwt-missing-verification` has been added. The query detects applications that don't verify JWT tokens.

1
javascript/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
View File

@@ -3,6 +3,7 @@
* @description Lists all files in the source code directory that were extracted without encountering an error in the file.
* @kind diagnostic
* @id js/diagnostics/successfully-extracted-files
* @tags successfully-extracted-files
*/
import javascript

2
javascript/ql/src/LanguageFeatures/NonLinearPattern.qhelp
View File

@@ -40,7 +40,7 @@ From context, it appears that the second binding should have been for variable <
<sample src="examples/NonLinearPatternGood.js" />
<p>
This can sometimes happen in TypeScript, due to the apparant similarity between property patterns
This can sometimes happen in TypeScript, due to the apparent similarity between property patterns
and type annotations. In the following example, the function uses a pattern parameter with properties <code>x</code>
and <code>y</code>. These appear to have type <code>number</code>, but are in fact untyped properties both stored in a variable named <code>number</code>.
</p>

2
javascript/ql/src/Security/CWE-079/XssThroughDom.qhelp
View File

@@ -33,7 +33,7 @@ selector to determine which element should be manipulated.
<p>
However, if an attacker can control the <code>data-target</code> attribute,
then the value of <code>target</code> can be used to cause the <code>$</code> function
to execute arbitary JavaScript.
to execute arbitrary JavaScript.
</p>
<p>
The above vulnerability can be fixed by using <code>$.find</code> instead of <code>$</code>.

2
javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp
View File

@@ -23,7 +23,7 @@
</p>
<p>
It is also recommended to limit the permissions of any tokens used
by a workflow such as the the GITHUB_TOKEN.
by a workflow such as the GITHUB_TOKEN.
</p>
</recommendation>

2
javascript/ql/src/Security/CWE-367/FileSystemRace.ql
View File

@@ -106,7 +106,7 @@ predicate useAfterCheck(FileCheck check, FileUse use) {
)
)
or
check.getBasicBlock().getASuccessor+() = use.getBasicBlock()
check.getBasicBlock().(ReachableBasicBlock).strictlyDominates(use.getBasicBlock())
}
from FileCheck check, FileUse use

2
javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
View File

@@ -4,7 +4,7 @@
<qhelp>
<overview>
<p>
Downloading executeables or other sensitive files over an unencrypted connection
Downloading executables or other sensitive files over an unencrypted connection
can leave a server open to man-in-the-middle attacks (MITM).
Such an attack can allow an attacker to insert arbitrary content
into the downloaded file, and in the worst case, allow the attacker to execute

2
javascript/ql/src/Statements/UselessComparisonTest.qhelp
View File

@@ -17,7 +17,7 @@ longer needed, remove it.
</p>
<p>
If the check is needed to guard against <code>NaN</code> values, insert a comment explaning the possibility of <code>NaN</code>.
If the check is needed to guard against <code>NaN</code> values, insert a comment explaining the possibility of <code>NaN</code>.
</p>
</recommendation>

4
javascript/ql/src/change-notes/2022-10-04-fix-loops-file-system-race.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Removed some false positives from the `js/file-system-race` query by requiring that the file-check dominates the file-access.

4
javascript/ql/src/change-notes/2022-10-04-json-stringify-improvement.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Improved taint tracking through `JSON.stringify` in cases where a tainted value is stored somewhere in the input object.

2
javascript/ql/src/change-notes/released/0.0.10.md
View File

@@ -2,7 +2,7 @@
### New Queries
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitary code execution.
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution.
The query is not run by default.
* A new query `js/file-system-race` has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
* A new query `js/jwt-missing-verification` has been added. The query detects applications that don't verify JWT tokens.

3
javascript/ql/src/change-notes/released/0.4.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.1
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.1

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.4.1-dev
version: 0.4.2-dev
groups:
- javascript
- queries

4
javascript/ql/test/library-tests/frameworks/Express/XSS.qll Normal file
View File

@@ -0,0 +1,4 @@
import javascript
import semmle.javascript.security.dataflow.ReflectedXssCustomizations
query predicate test_Xss(ReflectedXss::Sink sink, Http::ResponseSendArgument res) { sink = res }

22
javascript/ql/test/library-tests/frameworks/Express/src/express.js
View File

@@ -34,12 +34,12 @@ app.post('/some/other/path', function(req, res) {
app.get('/', require('./exportedHandler.js').handler);
function getHandler() {
return function (req, res){}
return function(req, res) { }
}
app.use(getHandler());
function getArrowHandler() {
return (req, res) => f();
return (req, res) => f();
}
app.use(getArrowHandler());
@@ -49,3 +49,21 @@ app.post('/headers', function(req, res) {
req.hostname;
req.headers[config.headerName];
});
app.get('/some/xss1', function(req, res) {
res.header("Content-Type", "text/html");
res.send(req.params.foo)
foo(res);
});
app.get('/some/xss2', function(req, res) {
res.header("Content-Type", "application/xml");
res.send(req.params.foo)
foo(res);
});
app.get('/some/non-xss1', function(req, res) {
res.header("Content-Type", "text/plain");
res.send(req.params.foo)
foo(res);
});

260
javascript/ql/test/library-tests/frameworks/Express/tests.expected
View File

@@ -17,6 +17,9 @@ test_RouteHandlerExpr_getBody
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/middleware-flow.js:13:16:13:24 | installDb | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
@@ -48,6 +51,9 @@ test_RouteSetup
| src/express.js:16:3:18:4 | router. ... );\\n }) | src/express.js:2:11:2:19 | express() | false |
| src/express.js:22:1:32:2 | app.pos ... r');\\n}) | src/express.js:2:11:2:19 | express() | false |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:2:11:2:19 | express() | false |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() | false |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() | false |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() | false |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() | false |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:2:13:2:21 | express() | true |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:2:13:2:21 | express() | false |
@@ -107,6 +113,9 @@ test_RouteSetup_getLastRouteHandlerExpr
| src/express.js:39:1:39:21 | app.use ... dler()) | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:44:1:44:26 | app.use ... dler()) | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:13:16:13:24 | installDb |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
@@ -753,7 +762,28 @@ test_RouterDefinition_getMiddlewareStackAt
| src/express.js:2:11:2:19 | express() | src/express.js:46:5:46:8 | post | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:46:10:46:19 | '/headers' | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:52:1:52:0 | exit node of <toplevel> | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:53:1:53:3 | app | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:53:1:53:7 | app.get | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:53:1:57:2 | app.get ... es);\\n}) | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:53:1:57:3 | app.get ... s);\\n}); | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:53:5:53:7 | get | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:53:9:53:20 | '/some/xss1' | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:59:1:59:3 | app | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:59:1:59:7 | app.get | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:59:1:63:2 | app.get ... es);\\n}) | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:59:1:63:3 | app.get ... s);\\n}); | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:59:5:59:7 | get | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:59:9:59:20 | '/some/xss2' | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:65:1:65:3 | app | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:65:1:65:7 | app.get | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:65:1:69:3 | app.get ... s);\\n}); | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:65:5:65:7 | get | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:65:9:65:24 | '/some/non-xss1' | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:2:11:2:19 | express() | src/express.js:70:1:70:0 | exit node of <toplevel> | src/express.js:44:9:44:25 | getArrowHandler() |
| src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:13:16:13:24 | installDb |
| src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:14:2:14:1 | exit node of functio ... lDb);\\n} | src/middleware-flow.js:13:16:13:24 | installDb |
| src/subrouter.js:2:11:2:19 | express() | src/subrouter.js:4:1:4:26 | app.use ... rotect) | src/subrouter.js:4:19:4:25 | protect |
@@ -872,14 +902,23 @@ test_isRequest
| src/express.js:28:3:28:5 | req |
| src/express.js:29:3:29:5 | req |
| src/express.js:30:3:30:5 | req |
| src/express.js:37:22:37:24 | req |
| src/express.js:42:13:42:15 | req |
| src/express.js:37:19:37:21 | req |
| src/express.js:42:11:42:13 | req |
| src/express.js:46:31:46:33 | req |
| src/express.js:46:31:46:33 | req |
| src/express.js:47:3:47:5 | req |
| src/express.js:48:3:48:5 | req |
| src/express.js:49:3:49:5 | req |
| src/express.js:50:3:50:5 | req |
| src/express.js:53:32:53:34 | req |
| src/express.js:53:32:53:34 | req |
| src/express.js:55:12:55:14 | req |
| src/express.js:59:32:59:34 | req |
| src/express.js:59:32:59:34 | req |
| src/express.js:61:12:61:14 | req |
| src/express.js:65:36:65:38 | req |
| src/express.js:65:36:65:38 | req |
| src/express.js:67:12:67:14 | req |
| src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:7:2:7:4 | req |
@@ -974,6 +1013,9 @@ test_RouteSetup_getRouter
| src/express.js:39:1:39:21 | app.use ... dler()) | src/express.js:2:11:2:19 | express() |
| src/express.js:44:1:44:26 | app.use ... dler()) | src/express.js:2:11:2:19 | express() |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:2:13:2:21 | express() |
@@ -1022,6 +1064,9 @@ test_StandardRouteHandler
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:2:11:2:19 | express() | src/express.js:16:28:16:30 | req | src/express.js:16:33:16:35 | res |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:2:11:2:19 | express() | src/express.js:22:39:22:41 | req | src/express.js:22:44:22:46 | res |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:2:11:2:19 | express() | src/express.js:46:31:46:33 | req | src/express.js:46:36:46:38 | res |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:2:11:2:19 | express() | src/express.js:53:32:53:34 | req | src/express.js:53:37:53:39 | res |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:2:11:2:19 | express() | src/express.js:59:32:59:34 | req | src/express.js:59:37:59:39 | res |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:2:11:2:19 | express() | src/express.js:65:36:65:38 | req | src/express.js:65:41:65:43 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:2:11:2:19 | express() | src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:29:4:31 | res |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:5:20:5:22 | req | src/middleware-flow.js:5:25:5:27 | res |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:17:25:17:27 | req | src/middleware-flow.js:17:30:17:32 | res |
@@ -1054,6 +1099,9 @@ test_RequestInputAccess
| src/express.js:48:3:48:10 | req.host | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:49:3:49:14 | req.hostname | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:50:3:50:32 | req.hea ... erName] | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:55:12:55:25 | req.params.foo | parameter | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:61:12:61:25 | req.params.foo | parameter | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:67:12:67:25 | req.params.foo | parameter | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:7:2:7:8 | req.url | url | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/params.js:4:35:4:39 | value | parameter | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:5:17:5:28 | req.query.xx | parameter | src/params.js:4:18:12:1 | (req, r ... }\\n} |
@@ -1066,6 +1114,12 @@ test_RouteHandler_getAResponseHeader
| src/express.js:4:23:9:1 | functio ... res);\\n} | access-control-allow-credentials | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:4:23:9:1 | functio ... res);\\n} | content-type | src/express.js:7:3:7:42 | res.hea ... plain") |
| src/express.js:4:23:9:1 | functio ... res);\\n} | location | src/express.js:6:3:6:45 | res.hea ... rget")) |
| src/express.js:53:23:57:1 | functio ... res);\\n} | access-control-allow-credentials | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:53:23:57:1 | functio ... res);\\n} | content-type | src/express.js:54:3:54:41 | res.hea ... /html") |
| src/express.js:59:23:63:1 | functio ... res);\\n} | access-control-allow-credentials | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:59:23:63:1 | functio ... res);\\n} | content-type | src/express.js:60:3:60:47 | res.hea ... n/xml") |
| src/express.js:65:27:69:1 | functio ... res);\\n} | access-control-allow-credentials | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:65:27:69:1 | functio ... res);\\n} | content-type | src/express.js:66:3:66:42 | res.hea ... plain") |
test_RouteSetup_handlesSameRequestMethodAs
| src/csurf-example.js:13:1:13:20 | app.use('/api', api) | src/csurf-example.js:16:1:16:51 | app.use ... lse })) |
| src/csurf-example.js:13:1:13:20 | app.use('/api', api) | src/csurf-example.js:17:1:17:23 | app.use ... rser()) |
@@ -1099,6 +1153,9 @@ test_RouteSetup_handlesSameRequestMethodAs
| src/csurf-example.js:32:3:34:4 | router. ... ')\\n }) | src/csurf-example.js:40:1:40:49 | app.pos ... es) {}) |
test_HeaderDefinition_defines
| src/express.js:7:3:7:42 | res.hea ... plain") | content-type | text/plain |
| src/express.js:54:3:54:41 | res.hea ... /html") | content-type | text/html |
| src/express.js:60:3:60:47 | res.hea ... n/xml") | content-type | application/xml |
| src/express.js:66:3:66:42 | res.hea ... plain") | content-type | text/plain |
test_ResponseExpr
| src/advanced-routehandler-registration.js:6:12:6:14 | res | src/advanced-routehandler-registration.js:6:6:6:35 | (req, r ... og(req) |
| src/advanced-routehandler-registration.js:7:12:7:14 | res | src/advanced-routehandler-registration.js:7:6:7:35 | (req, r ... og(req) |
@@ -1203,8 +1260,20 @@ test_ResponseExpr
| src/express.js:8:7:8:9 | res | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:12:3:12:5 | arg | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:12:3:12:5 | arg | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:12:3:12:5 | arg | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:12:3:12:5 | arg | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:16:33:16:35 | res | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:16:33:16:35 | res | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:17:5:17:7 | res | src/express.js:16:19:18:3 | functio ... ");\\n } |
@@ -1213,9 +1282,30 @@ test_ResponseExpr
| src/express.js:22:44:22:46 | res | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:31:3:31:5 | res | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:31:3:31:26 | res.coo ... 'bar') | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:37:27:37:29 | res | src/express.js:37:12:37:32 | functio ... res){} |
| src/express.js:42:18:42:20 | res | src/express.js:42:12:42:28 | (req, res) => f() |
| src/express.js:37:24:37:26 | res | src/express.js:37:10:37:31 | functio ... es) { } |
| src/express.js:42:16:42:18 | res | src/express.js:42:10:42:26 | (req, res) => f() |
| src/express.js:46:36:46:38 | res | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:53:37:53:39 | res | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:53:37:53:39 | res | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:54:3:54:5 | res | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:54:3:54:41 | res.hea ... /html") | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:55:3:55:5 | res | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:55:3:55:26 | res.sen ... ms.foo) | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:56:7:56:9 | res | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:59:37:59:39 | res | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:59:37:59:39 | res | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:60:3:60:5 | res | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:60:3:60:47 | res.hea ... n/xml") | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:61:3:61:5 | res | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:61:3:61:26 | res.sen ... ms.foo) | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:62:7:62:9 | res | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:65:41:65:43 | res | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:65:41:65:43 | res | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:66:3:66:5 | res | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:66:3:66:42 | res.hea ... plain") | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:67:3:67:5 | res | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:67:3:67:26 | res.sen ... ms.foo) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:68:7:68:9 | res | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:29:4:31 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:4:29:4:31 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:5:2:5:4 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
@@ -1311,6 +1401,9 @@ test_RouterDefinition_getARouteHandler
| src/express.js:2:11:2:19 | express() | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:2:11:2:19 | express() | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:2:11:2:19 | express() | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:2:11:2:19 | express() | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:2:11:2:19 | express() | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:2:11:2:19 | express() | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:2:11:2:19 | express() | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
@@ -1374,12 +1467,21 @@ test_RouteHandlerExpr_getNextMiddleware
| src/express.js:39:9:39:20 | getHandler() | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/subrouter.js:4:19:4:25 | protect | src/subrouter.js:5:14:5:28 | makeSubRouter() |
test_HeaderDefinition
| src/express3.js:5:3:5:51 | res.hea ... "val")) | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express.js:6:3:6:45 | res.hea ... rget")) | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:7:3:7:42 | res.hea ... plain") | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:54:3:54:41 | res.hea ... /html") | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:60:3:60:47 | res.hea ... n/xml") | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:66:3:66:42 | res.hea ... plain") | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:6:2:6:16 | res.setHeader() | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/responseExprs.js:19:5:19:16 | res.append() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:37:5:37:28 | f(res.a ... ppend() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
@@ -1411,6 +1513,9 @@ test_RouteSetup_getServer
| src/express.js:16:3:18:4 | router. ... );\\n }) | src/express.js:2:11:2:19 | express() |
| src/express.js:22:1:32:2 | app.pos ... r');\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:2:13:2:21 | express() |
@@ -1426,6 +1531,9 @@ test_HeaderDefinition_getAHeaderName
| src/express.js:6:3:6:45 | res.hea ... rget")) | location |
| src/express.js:7:3:7:42 | res.hea ... plain") | content-type |
| src/express.js:12:3:12:54 | arg.hea ... , true) | access-control-allow-credentials |
| src/express.js:54:3:54:41 | res.hea ... /html") | content-type |
| src/express.js:60:3:60:47 | res.hea ... n/xml") | content-type |
| src/express.js:66:3:66:42 | res.hea ... plain") | content-type |
test_HeaderAccess
| src/express.js:28:3:28:16 | req.get("foo") | foo |
| src/express.js:29:3:29:19 | req.header("bar") | bar |
@@ -1485,6 +1593,9 @@ test_RouteHandlerExpr
| src/express.js:39:9:39:20 | getHandler() | src/express.js:39:1:39:21 | app.use ... dler()) | false |
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:44:1:44:26 | app.use ... dler()) | false |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:1:51:2 | app.pos ... me];\\n}) | true |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:53:1:57:2 | app.get ... es);\\n}) | true |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:59:1:63:2 | app.get ... es);\\n}) | true |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:1:69:2 | app.get ... es);\\n}) | true |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | true |
| src/middleware-flow.js:13:16:13:24 | installDb | src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | false |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | true |
@@ -1539,6 +1650,9 @@ test_HeaderDefinition_getNameExpr
| src/express.js:6:3:6:45 | res.hea ... rget")) | src/express.js:6:14:6:23 | "Location" |
| src/express.js:7:3:7:42 | res.hea ... plain") | src/express.js:7:14:7:27 | "Content-Type" |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:12:14:12:47 | "Access ... ntials" |
| src/express.js:54:3:54:41 | res.hea ... /html") | src/express.js:54:14:54:27 | "Content-Type" |
| src/express.js:60:3:60:47 | res.hea ... n/xml") | src/express.js:60:14:60:27 | "Content-Type" |
| src/express.js:66:3:66:42 | res.hea ... plain") | src/express.js:66:14:66:27 | "Content-Type" |
test_appCreation
| src/advanced-routehandler-registration.js:2:11:2:19 | express() |
| src/auth.js:1:13:1:32 | require('express')() |
@@ -1586,6 +1700,9 @@ test_RouteSetup_getRequestMethod
| src/express.js:22:1:32:2 | app.pos ... r');\\n}) | POST |
| src/express.js:34:1:34:53 | app.get ... andler) | GET |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | POST |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | GET |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | GET |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | GET |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | POST |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | GET |
| src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | GET |
@@ -1714,9 +1831,42 @@ test_RouteHandler_getAResponseExpr
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:22:44:22:46 | res |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:31:3:31:5 | res |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:31:3:31:26 | res.coo ... 'bar') |
| src/express.js:37:12:37:32 | functio ... res){} | src/express.js:37:27:37:29 | res |
| src/express.js:42:12:42:28 | (req, res) => f() | src/express.js:42:18:42:20 | res |
| src/express.js:37:10:37:31 | functio ... es) { } | src/express.js:37:24:37:26 | res |
| src/express.js:42:10:42:26 | (req, res) => f() | src/express.js:42:16:42:18 | res |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:36:46:38 | res |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:11:14:11:16 | arg |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:11:14:11:16 | arg |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:12:3:12:5 | arg |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:53:37:53:39 | res |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:53:37:53:39 | res |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:54:3:54:5 | res |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:54:3:54:41 | res.hea ... /html") |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:55:3:55:5 | res |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:55:3:55:26 | res.sen ... ms.foo) |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:56:7:56:9 | res |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:11:14:11:16 | arg |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:11:14:11:16 | arg |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:12:3:12:5 | arg |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:59:37:59:39 | res |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:59:37:59:39 | res |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:60:3:60:5 | res |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:60:3:60:47 | res.hea ... n/xml") |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:61:3:61:5 | res |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:61:3:61:26 | res.sen ... ms.foo) |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:62:7:62:9 | res |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:11:14:11:16 | arg |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:11:14:11:16 | arg |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:12:3:12:5 | arg |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:41:65:43 | res |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:41:65:43 | res |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:66:3:66:5 | res |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:66:3:66:42 | res.hea ... plain") |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:67:3:67:5 | res |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:67:3:67:26 | res.sen ... ms.foo) |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:68:7:68:9 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:5:2:5:4 | res |
@@ -1890,9 +2040,30 @@ test_isResponse
| src/express.js:22:44:22:46 | res |
| src/express.js:31:3:31:5 | res |
| src/express.js:31:3:31:26 | res.coo ... 'bar') |
| src/express.js:37:27:37:29 | res |
| src/express.js:42:18:42:20 | res |
| src/express.js:37:24:37:26 | res |
| src/express.js:42:16:42:18 | res |
| src/express.js:46:36:46:38 | res |
| src/express.js:53:37:53:39 | res |
| src/express.js:53:37:53:39 | res |
| src/express.js:54:3:54:5 | res |
| src/express.js:54:3:54:41 | res.hea ... /html") |
| src/express.js:55:3:55:5 | res |
| src/express.js:55:3:55:26 | res.sen ... ms.foo) |
| src/express.js:56:7:56:9 | res |
| src/express.js:59:37:59:39 | res |
| src/express.js:59:37:59:39 | res |
| src/express.js:60:3:60:5 | res |
| src/express.js:60:3:60:47 | res.hea ... n/xml") |
| src/express.js:61:3:61:5 | res |
| src/express.js:61:3:61:26 | res.sen ... ms.foo) |
| src/express.js:62:7:62:9 | res |
| src/express.js:65:41:65:43 | res |
| src/express.js:65:41:65:43 | res |
| src/express.js:66:3:66:5 | res |
| src/express.js:66:3:66:42 | res.hea ... plain") |
| src/express.js:67:3:67:5 | res |
| src/express.js:67:3:67:26 | res.sen ... ms.foo) |
| src/express.js:68:7:68:9 | res |
| src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:5:2:5:4 | res |
@@ -1976,6 +2147,9 @@ test_ResponseBody
| src/express3.js:6:12:6:16 | "val" | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express4.js:8:12:8:19 | dynamic1 | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express.js:17:14:17:23 | "Go away." | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:55:12:55:25 | req.params.foo | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:61:12:61:25 | req.params.foo | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:67:12:67:25 | req.params.foo | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/params.js:8:18:8:22 | value | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:15:12:15:18 | "Hello" | src/params.js:14:24:16:1 | functio ... lo");\\n} |
test_ResponseSendArgument
@@ -1984,6 +2158,9 @@ test_ResponseSendArgument
| src/express3.js:6:12:6:16 | "val" | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express4.js:8:12:8:19 | dynamic1 | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express.js:17:14:17:23 | "Go away." | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:55:12:55:25 | req.params.foo | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:61:12:61:25 | req.params.foo | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:67:12:67:25 | req.params.foo | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/params.js:8:18:8:22 | value | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:15:12:15:18 | "Hello" | src/params.js:14:24:16:1 | functio ... lo");\\n} |
test_RouteSetup_getARouteHandler
@@ -2078,12 +2255,15 @@ test_RouteSetup_getARouteHandler
| src/express.js:34:1:34:53 | app.get ... andler) | src/exportedHandler.js:1:19:1:55 | functio ... res) {} |
| src/express.js:34:1:34:53 | app.get ... andler) | src/express.js:34:14:34:52 | require ... handler |
| src/express.js:39:1:39:21 | app.use ... dler()) | src/express.js:36:1:38:1 | return of function getHandler |
| src/express.js:39:1:39:21 | app.use ... dler()) | src/express.js:37:12:37:32 | functio ... res){} |
| src/express.js:39:1:39:21 | app.use ... dler()) | src/express.js:37:10:37:31 | functio ... es) { } |
| src/express.js:39:1:39:21 | app.use ... dler()) | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:44:1:44:26 | app.use ... dler()) | src/express.js:41:1:43:1 | return of function getArrowHandler |
| src/express.js:44:1:44:26 | app.use ... dler()) | src/express.js:42:12:42:28 | (req, res) => f() |
| src/express.js:44:1:44:26 | app.use ... dler()) | src/express.js:42:10:42:26 | (req, res) => f() |
| src/express.js:44:1:44:26 | app.use ... dler()) | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
@@ -2304,6 +2484,12 @@ test_RouteHandlerExpr_getAMatchingAncestor
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
test_isRouterCreation
| es6-imported-router.js:3:1:3:12 | new Router() |
| src/advanced-routehandler-registration.js:2:11:2:19 | express() |
@@ -2380,6 +2566,9 @@ test_RouteSetup_getRouteHandlerExpr
| src/express.js:39:1:39:21 | app.use ... dler()) | 0 | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:44:1:44:26 | app.use ... dler()) | 0 | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | 0 | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | 0 | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | 0 | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | 0 | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | 0 | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | 0 | src/middleware-flow.js:13:16:13:24 | installDb |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | 0 | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
@@ -2474,9 +2663,12 @@ test_RouteHandler
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:4:32:4:34 | req | src/express.js:4:37:4:39 | res |
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:16:28:16:30 | req | src/express.js:16:33:16:35 | res |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:22:39:22:41 | req | src/express.js:22:44:22:46 | res |
| src/express.js:37:12:37:32 | functio ... res){} | src/express.js:37:22:37:24 | req | src/express.js:37:27:37:29 | res |
| src/express.js:42:12:42:28 | (req, res) => f() | src/express.js:42:13:42:15 | req | src/express.js:42:18:42:20 | res |
| src/express.js:37:10:37:31 | functio ... es) { } | src/express.js:37:19:37:21 | req | src/express.js:37:24:37:26 | res |
| src/express.js:42:10:42:26 | (req, res) => f() | src/express.js:42:11:42:13 | req | src/express.js:42:16:42:18 | res |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:31:46:33 | req | src/express.js:46:36:46:38 | res |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:53:32:53:34 | req | src/express.js:53:37:53:39 | res |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:59:32:59:34 | req | src/express.js:59:37:59:39 | res |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:36:65:38 | req | src/express.js:65:41:65:43 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:29:4:31 | res |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:5:20:5:22 | req | src/middleware-flow.js:5:25:5:27 | res |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:17:25:17:27 | req | src/middleware-flow.js:17:30:17:32 | res |
@@ -2546,6 +2738,9 @@ test_RouteSetup_getARouteHandlerExpr
| src/express.js:39:1:39:21 | app.use ... dler()) | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:44:1:44:26 | app.use ... dler()) | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:53:1:57:2 | app.get ... es);\\n}) | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:59:1:63:2 | app.get ... es);\\n}) | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:13:16:13:24 | installDb |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
@@ -2608,6 +2803,9 @@ test_RouteHandlerExpr_getPreviousMiddleware
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:44:9:44:25 | getArrowHandler() | src/express.js:39:9:39:20 | getHandler() |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/subrouter.js:5:14:5:28 | makeSubRouter() | src/subrouter.js:4:19:4:25 | protect |
test_RequestExpr
| src/advanced-routehandler-registration.js:6:7:6:9 | req | src/advanced-routehandler-registration.js:6:6:6:35 | (req, r ... og(req) |
@@ -2735,14 +2933,23 @@ test_RequestExpr
| src/express.js:28:3:28:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:29:3:29:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:30:3:30:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:37:22:37:24 | req | src/express.js:37:12:37:32 | functio ... res){} |
| src/express.js:42:13:42:15 | req | src/express.js:42:12:42:28 | (req, res) => f() |
| src/express.js:37:19:37:21 | req | src/express.js:37:10:37:31 | functio ... es) { } |
| src/express.js:42:11:42:13 | req | src/express.js:42:10:42:26 | (req, res) => f() |
| src/express.js:46:31:46:33 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:46:31:46:33 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:47:3:47:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:48:3:48:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:49:3:49:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:50:3:50:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:53:32:53:34 | req | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:53:32:53:34 | req | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:55:12:55:14 | req | src/express.js:53:23:57:1 | functio ... res);\\n} |
| src/express.js:59:32:59:34 | req | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:59:32:59:34 | req | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:61:12:61:14 | req | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:65:36:65:38 | req | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:65:36:65:38 | req | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:67:12:67:14 | req | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:7:2:7:4 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
@@ -2926,14 +3133,23 @@ test_RouteHandler_getARequestExpr
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:28:3:28:5 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:29:3:29:5 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:30:3:30:5 | req |
| src/express.js:37:12:37:32 | functio ... res){} | src/express.js:37:22:37:24 | req |
| src/express.js:42:12:42:28 | (req, res) => f() | src/express.js:42:13:42:15 | req |
| src/express.js:37:10:37:31 | functio ... es) { } | src/express.js:37:19:37:21 | req |
| src/express.js:42:10:42:26 | (req, res) => f() | src/express.js:42:11:42:13 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:31:46:33 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:31:46:33 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:47:3:47:5 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:48:3:48:5 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:49:3:49:5 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:50:3:50:5 | req |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:53:32:53:34 | req |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:53:32:53:34 | req |
| src/express.js:53:23:57:1 | functio ... res);\\n} | src/express.js:55:12:55:14 | req |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:59:32:59:34 | req |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:59:32:59:34 | req |
| src/express.js:59:23:63:1 | functio ... res);\\n} | src/express.js:61:12:61:14 | req |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:36:65:38 | req |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:36:65:38 | req |
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:67:12:67:14 | req |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:7:2:7:4 | req |
@@ -3022,3 +3238,13 @@ dbUse
| src/middleware-flow.js:20:9:20:26 | req.deep.access.db |
| src/middleware-flow.js:23:33:23:38 | req.db |
| src/middleware-flow.js:24:33:24:38 | req.db |
test_Xss
| src/csurf-example.js:26:12:26:42 | 'csrf w ... t here' | src/csurf-example.js:26:12:26:42 | 'csrf w ... t here' |
| src/csurf-example.js:33:14:33:34 | 'no csr ... t here' | src/csurf-example.js:33:14:33:34 | 'no csr ... t here' |
| src/express3.js:6:12:6:16 | "val" | src/express3.js:6:12:6:16 | "val" |
| src/express4.js:8:12:8:19 | dynamic1 | src/express4.js:8:12:8:19 | dynamic1 |
| src/express.js:17:14:17:23 | "Go away." | src/express.js:17:14:17:23 | "Go away." |
| src/express.js:55:12:55:25 | req.params.foo | src/express.js:55:12:55:25 | req.params.foo |
| src/express.js:61:12:61:25 | req.params.foo | src/express.js:61:12:61:25 | req.params.foo |
| src/params.js:8:18:8:22 | value | src/params.js:8:18:8:22 | value |
| src/params.js:15:12:15:18 | "Hello" | src/params.js:15:12:15:18 | "Hello" |

1
javascript/ql/test/library-tests/frameworks/Express/tests.ql
View File

@@ -47,3 +47,4 @@ import Credentials
import RouteHandler_getARequestExpr
import RouteHandlerContainer
import MiddlewareFlow
import XSS

36
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -431,6 +431,22 @@ nodes
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
@@ -1509,6 +1525,24 @@ edges
| jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:51:11:56 | locale | json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:56:19:61 | locale | json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |
@@ -2241,6 +2275,8 @@ edges
| jquery.js:27:5:27:25 | hash.re ... #', '') | jquery.js:18:14:18:33 | window.location.hash | jquery.js:27:5:27:25 | hash.re ... #', '') | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
| jquery.js:28:5:28:43 | window. ... ?', '') | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') | Cross-site scripting vulnerability due to $@. | jquery.js:28:5:28:26 | window. ... .search | user-provided value |
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' | jquery.js:18:14:18:33 | window.location.hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
| jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value |
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value |

34
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -431,6 +431,22 @@ nodes
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
@@ -1559,6 +1575,24 @@ edges
| jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:51:11:56 | locale | json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:56:19:61 | locale | json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |

42
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx Normal file
View File

@@ -0,0 +1,42 @@
var express = require("express");
var app = express();
app.get("/some/path", function (req, res) {
const locale = req.param("locale");
const breadcrumbList = [
{
"@type": "ListItem",
position: 1,
item: {
"@id": `https://example.com/some?locale=${locale}`,
name: "Some",
},
},
{
"@type": "ListItem",
position: 2,
item: {
"@id": `https://example.com/some/path?locale=${locale}`,
name: "Path",
},
},
];
const jsonLD = {
"@context": "https://schema.org",
"@type": "BreadcrumbList",
itemListElement: breadcrumbList,
};
<script
type="application/ld+json"
dangerouslySetInnerHTML={{ __html: JSON.stringify(locale) }} // NOT OK
/>;
<script
type="application/ld+json"
dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLD) }} // NOT OK
/>;
<script
type="application/ld+json"
dangerouslySetInnerHTML={{ __html: JSON.stringify({}) }} // OK
/>;
<script type="application/ld+json">{ JSON.stringify(jsonLD) }</script> // OK
});

5
javascript/ql/test/query-tests/Security/CWE-367/tst.js
View File

@@ -41,3 +41,8 @@ const filePath3 = createFile();
if (fs.existsSync(filePath3)) {
fs.readFileSync(filePath3); // OK - a read after an existence check is OK
}
const filePath4 = createFile();
while(Math.random() > 0.5) {
fs.open(filePath4); // OK - it is only ever opened here.
}