JS: Accept missing alert and clarify reason

2026-04-26 01:05:15 +02:00 · 2025-02-25 16:35:22 +01:00
parent 9f8744680d
commit 2d1aa3e00a
1 changed files with 3 additions and 1 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js
@@ -27,6 +27,8 @@ express().get('/some/path', function (req, res) {
    foo.indexOf(prefix) == 1; // $ Alert
    foo.slice(1) === 'x'; // $ Alert

+    foo.length; // $ Alert
+
    if (typeof foo === "string") {
        foo.indexOf();
    } else {
@@ -38,7 +40,7 @@ express().get('/some/path', function (req, res) {

    (foo + f()).indexOf();

-    foo.length; // $ Alert
+    foo.length; // $ MISSING: Alert - missed due to guards sanitising both branches
 });

 new Koa().use(function handler(ctx) {