V1

2026-04-26 01:05:15 +02:00 · 2023-06-22 20:06:41 +10:00
parent 5259a6ecfc
commit 307187f6c1
29 changed files with 1675 additions and 41 deletions
--- a/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.qhelp
@@ -1,40 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>
-GUIDs (often called UUIDs) are widely used in modern web applications.
- One common use for UUIDs is the generation of one-time-use tokens.
- These can used for password reset, and e-mail confirmation routines, for example.
-</p>
-<p>
-There are five versions of UUIDs defined in RFC 4122.
- Out of the five, four are generated in a predictable manner.
- This means it is possible for someone to predict future UUIDs based on a sample
- generated by the target application.
-</p>
-<p>
-Version four is the only UUID version expected to be randomly generated.
- Therefore, for situations where predictable tokens are not desired (e.g. password reset tokens),
- all other versions should be avoided.
-</p>
-</overview>
-
-<recommendation>
-<p>When using GUIDs/UUIDs for generating tokens that should not be predictable, use version four.</p>
-</recommendation>
-
-<example>
-<p>This example shows a UUID v1 being used for a password reset routine.
-</p>
-
-<sample src="TokenBuiltFromUUID.js" />
-</example>
-
-<references>
-<li>UUID <a href="https://datatracker.ietf.org/doc/html/rfc4122">RFC</a>.</li>
-<li>Daniel Thatcher <i>In GUID We Trust</i> <a href="https://www.intruder.io/research/in-guid-we-trust">article</a>.</li>
-<li>UUID exploitation <a href="https://github.com/intruder-io/guidtool">tool</a>.</li>
-</references>
-</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql
@@ -0,0 +1,60 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision medium
+ * @id js/user-controlled-file-decompression
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import javascript
+import CommandLineSource
+
+class BombConfiguration extends TaintTracking::Configuration {
+  BombConfiguration() { this = "DecompressionBombs" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source = any(CommandLineFlowSource cls).asSource()
+    or
+    exists(Function f | source.asExpr() = f.getAParameter() |
+      not exists(source.getALocalSource().getStringValue())
+    )
+    or
+    exists(FileSystemReadAccess fsra | source = fsra.getADataNode() |
+      not exists(fsra.getALocalSource().getStringValue())
+    )
+    or
+    exists(Function f | source.asExpr() = f.getAParameter() |
+      not exists(source.getALocalSource().getStringValue())
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(API::Node loadAsync | loadAsync = API::moduleImport("jszip").getMember("loadAsync") |
+      sink = loadAsync.getParameter(0).asSink() and sanitizer(loadAsync)
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    // additional taint step for fs.readFile(pred)
+    // It can be global additional step too
+    exists(DataFlow::CallNode n | n = DataFlow::moduleMember("fs", "readFile").getACall() |
+      pred = n.getArgument(0) and succ = n.getABoundCallbackParameter(1, 1)
+    )
+  }
+}
+
+predicate sanitizer(API::Node loadAsync) {
+  not exists(loadAsync.getASuccessor*().getMember("_data").getMember("uncompressedSize"))
+}
+
+from BombConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+  "potentially untrusted source"
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql
@@ -0,0 +1,123 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision medium
+ * @id js/user-controlled-file-decompression
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import javascript
+import DataFlow::PathGraph
+import API
+import semmle.javascript.Concepts
+import ReadableAdditionalStep
+import CommandLineSource
+
+class BombConfiguration extends TaintTracking::Configuration {
+  BombConfiguration() { this = "DecompressionBombs" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    // cli Sources
+    source = any(CommandLineFlowSource cls).asSource()
+    or
+    exists(Function f | source.asExpr() = f.getAParameter() |
+      not exists(source.getALocalSource().getStringValue())
+    )
+    or
+    exists(FileSystemReadAccess fsra | source = fsra.getADataNode() |
+      not exists(fsra.getALocalSource().getStringValue())
+    )
+    or
+    source.asExpr() =
+      API::moduleImport("tar")
+          .getMember(["x", "extract"])
+          .getParameter(0)
+          .asSink()
+          .asExpr()
+          .(ObjectExpr)
+          .getAChild()
+          .(Property)
+          .getAChild() and
+    not source.getALocalSource().mayHaveStringValue(_)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(API::Node tarExtract |
+      tarExtract = API::moduleImport("tar").getMember(["x", "extract"])
+    |
+      (
+        // piping tar.x()
+        sink = tarExtract.getACall()
+        or
+        // tar.x({file: filename})
+        // and we don't have a  "maxReadSize: ANum" option
+        sink.asExpr() =
+          tarExtract
+              .getParameter(0)
+              .asSink()
+              .asExpr()
+              .(ObjectExpr)
+              .getAChild()
+              .(Property)
+              .getAChild*() and
+        tarExtract
+            .getParameter(0)
+            .asSink()
+            .asExpr()
+            .(ObjectExpr)
+            .getAChild()
+            .(Property)
+            .getAChild*()
+            .(Label)
+            .getName() = "file"
+      ) and
+      nodeTarSanitizer(tarExtract)
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    readablePipeAdditionalTaintStep(pred, succ)
+    or
+    exists(FileSystemReadAccess cn | pred = cn.getADataNode() and succ = cn.getAPathArgument())
+    or
+    exists(DataFlow::Node sinkhelper, AstNode an |
+      an = sinkhelper.asExpr().(ObjectExpr).getAChild().(Property).getAChild()
+    |
+      pred.asExpr() = an and
+      succ = sinkhelper
+    )
+    or
+    exists(API::Node n | n = API::moduleImport("tar") |
+      pred = n.asSource() and
+      (
+        succ = n.getMember("x").getACall() or
+        succ = n.getMember("x").getACall().getArgument(0)
+      )
+    )
+  }
+}
+
+predicate nodeTarSanitizer(API::Node tarExtract) {
+  not tarExtract
+      .getParameter(0)
+      .asSink()
+      .asExpr()
+      .(ObjectExpr)
+      .getAChild()
+      .(Property)
+      .getAChild*()
+      .(Label)
+      .getName() = "maxReadSize"
+}
+
+from BombConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+  "potentially untrusted source"
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.ql
@@ -0,0 +1,140 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision medium
+ * @id js/user-controlled-file-decompression
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import javascript
+import DataFlow::PathGraph
+import API
+import semmle.javascript.security.dataflow.IndirectCommandInjectionCustomizations
+import ReadableAdditionalStep
+import CommandLineSource
+
+class BombConfiguration extends TaintTracking::Configuration {
+  BombConfiguration() { this = "DecompressionBombs" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = any(RemoteFlowSource rfs)
+    or
+    // cli Sources
+    source = any(CommandLineFlowSource cls).asSource()
+    or
+    exists(Function f | source.asExpr() = f.getAParameter() |
+      not exists(source.getALocalSource().getStringValue())
+    )
+    or
+    exists(FileSystemReadAccess fsra | source = fsra.getADataNode() |
+      not exists(fsra.getALocalSource().getStringValue())
+    )
+    or
+    exists(DataFlow::NewNode nn, DataFlow::Node n | nn = n.(NewNode) |
+      source = nn.getArgument(0) and
+      nn.getCalleeName() = "AdmZip" and
+      not exists(source.getALocalSource().getStringValue())
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    // we don't have a "maxOutputLength: ANum" option
+    exists(API::Node zlib |
+      zlib =
+        API::moduleImport("zlib")
+            .getMember([
+                "createGunzip", "createBrotliDecompress", "createUnzip", "createInflate",
+                "createInflateRaw"
+              ]) and
+      sink = zlib.getACall() and
+      zlibSanitizer(zlib, 0)
+      or
+      zlib =
+        API::moduleImport("zlib")
+            .getMember([
+                "gunzip", "gunzipSync", "unzip", "unzipSync", "brotliDecompress",
+                "brotliDecompressSync", "inflateSync", "inflateRawSync", "inflate", "inflateRaw"
+              ]) and
+      sink = zlib.getACall().getArgument(0) and
+      zlibSanitizer(zlib, 1)
+    )
+    or
+    sink =
+      [
+        DataFlow::moduleMember("pako", ["inflate", "inflateRaw", "ungzip"])
+            .getACall()
+            .getArgument(0)
+      ]
+    or
+    exists(API::Node n | n = API::moduleImport("adm-zip").getInstance() |
+      (
+        sink = n.getMember(["extractAllTo", "extractEntryTo", "readAsText"]).getReturn().asSource()
+        or
+        sink =
+          n.getMember("getEntries").getASuccessor*().getMember("getData").getReturn().asSource()
+      )
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    readablePipeAdditionalTaintStep(pred, succ)
+    or
+    // succ = new Uint8Array(pred)
+    exists(DataFlow::Node n, NewExpr ne | ne = n.asExpr().(NewExpr) |
+      pred.asExpr() = ne.getArgument(0) and
+      succ.asExpr() = ne and
+      ne.getCalleeName() = "Uint8Array"
+    )
+    or
+    // AdmZip
+    exists(API::Node n | n = API::moduleImport("adm-zip") |
+      pred = n.getParameter(0).asSink() and
+      (
+        succ =
+          n.getInstance()
+              .getMember(["extractAllTo", "extractEntryTo", "readAsText"])
+              .getReturn()
+              .asSource() or
+        succ =
+          n.getInstance()
+              .getMember("getEntries")
+              .getASuccessor*()
+              .getMember("getData")
+              .getReturn()
+              .asSource()
+      )
+    )
+    or
+    // pred.pipe(succ)
+    // I saw many instances like response.pipe(succ) which I couldn't exactly model this pattern
+    exists(DataFlow::MethodCallNode n |
+      n.getMethodName() = "pipe" and
+      succ = n.getArgument(0) and
+      pred = n.getReceiver() and
+      not pred instanceof DataFlow::MethodCallNode
+    )
+  }
+}
+
+predicate zlibSanitizer(API::Node zlib, int numOfParameter) {
+  numOfParameter = [0, 1] and
+  not zlib.getParameter(numOfParameter)
+      .asSink()
+      .asExpr()
+      .(ObjectExpr)
+      .getAChild()
+      .(Property)
+      .getAChild*()
+      .(Label)
+      .getName() = "maxOutputLength"
+}
+
+from BombConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+  "potentially untrusted source"
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/CommandLineSource.qll
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/CommandLineSource.qll
@@ -0,0 +1,104 @@
+import javascript
+import DataFlow::PathGraph
+import API
+
+/**
+ * there are FP when the types are not str
+ * because int,boolean types are not really dangerous as a source node
+ */
+abstract class CommandLineFlowSource extends API::Node { }
+
+class Yargs extends CommandLineFlowSource {
+  Yargs() {
+    this = API::moduleImport("yargs/yargs").getASuccessor().getMember("argv") or
+    this = API::moduleImport("yargs/yargs").getASuccessor().getMember("argv").getAMember()
+  }
+}
+
+class Argv extends CommandLineFlowSource {
+  Argv() {
+    exists(string numOfArg |
+      this = API::moduleImport(["node:process", "process"]).getMember("argv").getMember(numOfArg) and
+      not numOfArg = ["0", "1", "forEach"]
+    )
+    or
+    this =
+      API::moduleImport("node:process")
+          .getMember("argv")
+          .getMember("forEach")
+          .getParameter(0)
+          .getParameter(1)
+  }
+}
+
+predicate test(API::Node n) {
+  n = API::moduleImport("commander").getMember("Command").getASuccessor*().getInstance()
+}
+
+class Commander extends CommandLineFlowSource {
+  Commander() {
+    // opts() are { key : value }
+    // args are remaining arguments
+    exists(API::Node n |
+      n =
+        [
+          API::moduleImport("commander").getMember("Command").getASuccessor*().getInstance(),
+          // https://github.com/tj/commander.js#life-cycle-hooks
+          // https://github.com/tj/commander.js/blob/master/examples/hook.js
+          API::moduleImport("commander")
+              .getMember("Command")
+              .getASuccessor*()
+              .getMember("hook")
+              .getParameter(1)
+              .getParameter(_),
+          // https://github.com/tj/commander.js/blob/master/examples/action-this.js
+          API::moduleImport("commander")
+              .getMember("Command")
+              .getASuccessor*()
+              .getMember("action")
+              .getParameter(0)
+              .getReceiver()
+        ]
+    |
+      this = n.getMember("opts").getReturn().getMember(_)
+      or
+      this = n.getMember("args")
+    )
+    or
+    // action handlers has FP because of options and command in `.action((name, options, command)`
+    // https://github.com/tj/commander.js#action-handler
+    // https://github.com/tj/commander.js#commands
+    this =
+      API::moduleImport("commander")
+          .getMember("Command")
+          .getASuccessor*()
+          .getMember("action")
+          .getParameter(0)
+          .getParameter(_)
+    or
+    // why we can't have forEach global taintStep?
+    // https://github.com/tj/commander.js#command-arguments
+    this =
+      API::moduleImport("commander")
+          .getMember("Command")
+          .getASuccessor*()
+          .getMember("action")
+          .getParameter(0)
+          .getParameter(_)
+          .getASuccessor*()
+          .getMember("forEach")
+          .getParameter(0)
+          .getParameter(0)
+    or
+    // Custom option processing
+    // https://github.com/tj/commander.js#custom-option-processing
+    // https://github.com/tj/commander.js/blob/master/examples/options-custom-processing.js
+    this =
+      API::moduleImport("commander")
+          .getMember("Command")
+          .getASuccessor*()
+          .getMember("option")
+          .getParameter(2)
+          .getParameter(_)
+  }
+}
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks.</p>
+<p>Attackers can compress a huge file which created by repeated similiar byte and convert it to a small compressed file.</p>
+
+</overview>
+<recommendation>
+
+<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
+
+</recommendation>
+<example>
+
+<p>
+JsZip: check uncompressedSize Object Field before extraction.
+</p>
+<sample src="jszip_good.js"/>
+
+<p>
+nodejs Zlib: use <a href="https://nodejs.org/dist/latest-v18.x/docs/api/zlib.html#class-options">maxOutputLength option</a> which it'll limit the buffer read size
+</p>
+<sample src="zlib_good.js" />
+
+<p>
+node-tar: use <a href="https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90">maxReadSize option</a> which it'll limit the buffer read size
+</p>
+<sample src="node-tar_good.js" />
+
+</example>
+<references>
+
+<li>
+<a href="https://github.com/advisories/GHSA-8225-6cvr-8pqp">CVE-2017-16129</a>
+</li>
+<li>
+<a href="https://www.bamsoftware.com/hacks/zipbomb/">A great research to gain more impact by this kind of attacks</a>
+</li>
+
+</references>
+</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/ReadableAdditionalStep.qll
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/ReadableAdditionalStep.qll
@@ -0,0 +1,28 @@
+import javascript
+import API
+
+predicate readablePipeAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  // this step connect the first pipe parameter to the last pipe parameter
+  exists(API::Node cn |
+    cn =
+      [
+        API::moduleImport("fs").getMember("createReadStream"),
+        API::moduleImport("stream").getMember("Readable")
+      ]
+  |
+    pred = cn.getParameter(0).asSink() and
+    succ = cn.getASuccessor*().getMember("pipe").getParameter(0).asSink()
+  )
+  or
+  // this step connect the a pipe parameter to the next pipe parameter
+  exists(API::Node cn |
+    cn =
+      [
+        API::moduleImport("fs").getMember("createReadStream"),
+        API::moduleImport("stream").getMember("Readable")
+      ].getASuccessor*()
+  |
+    pred = cn.getParameter(0).asSink() and
+    succ = cn.getReturn().getMember("pipe").getParameter(0).asSink()
+  )
+}
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/SequelizeModelMethodCall.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/SequelizeModelMethodCall.ql
@@ -0,0 +1,53 @@
+/**
+ * @id javascript/sequlize
+ * @kind path-problem
+ * @name demonstrate sequlize additional taintstep
+ * @description add sequlize methods calls on custom models as sinks and additional taint steps
+ * @problem.severity error
+ * @precision low
+ * @tags experimental
+ */
+
+import javascript
+import DataFlow::PathGraph
+import sequelizeModelTypes::sequelizeModel
+import API
+
+class SequelizeModelConfiguration extends TaintTracking::Configuration {
+  SequelizeModelConfiguration() { this = "Bombs" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    exists(source.getTopLevel().getFile().getRelativePath())
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(DataFlow::CallNode n |
+      n.getCalleeName() = "findByPk" and
+      sequelizeModelAsSourceNode().(DataFlow::LocalSourceNode).flowsTo(n.getReceiver()) and
+      sink = n.getArgument(0)
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode n |
+      // any related method of sequelize can be added here
+      n.getCalleeName() = "findByPk" and
+      sequelizeModelAsSourceNode().(DataFlow::LocalSourceNode).flowsTo(n.getReceiver()) and
+      pred = n.getArgument(0) and
+      succ = n
+    )
+    or
+    // succ = { pred : pred} I think it has high FP rate for be a global taint step!
+    exists(DataFlow::Node sinkhelper, AstNode an |
+      an = sinkhelper.asExpr().(ObjectExpr).getAChild().(Property).getAChild()
+    |
+      pred.asExpr() = an and
+      succ = sinkhelper
+    )
+  }
+}
+
+from SequelizeModelConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink, source, sink, "from ==> to"
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/jszip_good.js
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/jszip_good.js
@@ -0,0 +1,11 @@
+const jszipp = require("jszip");
+function zipBombSafe(zipFile) {
+    jszipp.loadAsync(zipFile.data).then(function (zip) {
+        if (zip.file("10GB")["_data"]["uncompressedSize"] > 1024 * 1024 * 8) {
+            console.log("error")
+        }
+        zip.file("10GB").async("uint8array").then(function (u8) {
+            console.log(u8);
+        });
+    });
+}
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/node-tar_good.js
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/node-tar_good.js
@@ -0,0 +1,8 @@
+const tar = require("tar");
+
+tar.x({
+    file: tarFileName,
+    strip: 1,
+    C: 'some-dir',
+    maxReadSize: 16 * 1024 * 1024 // 16 MB
+})
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/sequelizeModelTypes.qll
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/sequelizeModelTypes.qll
@@ -0,0 +1,22 @@
+import javascript
+import DataFlow
+
+module sequelizeModel {
+  SourceNode sequelizeModelAsSourceNode(TypeTracker t) {
+    t.start() and
+    exists(
+      DataFlow::ClassNode baseModelFirstDirectChild, DataFlow::ClassNode baseModelAllLevelSubClasses
+    |
+      DataFlow::moduleMember("sequelize-typescript", "Model")
+          .flowsTo(baseModelFirstDirectChild.getASuperClassNode()) and
+      baseModelAllLevelSubClasses = baseModelFirstDirectChild.getADirectSubClass*() and
+      result = baseModelAllLevelSubClasses
+    )
+    or
+    exists(TypeTracker t2 | result = sequelizeModelAsSourceNode(t2).track(t2, t))
+  }
+
+  SourceNode sequelizeModelAsSourceNode() {
+    result = sequelizeModelAsSourceNode(TypeTracker::end())
+  }
+}
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/zlib_good.js
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/zlib_good.js
@@ -0,0 +1,11 @@
+const zlib = require("zlib");
+
+zlib.gunzip(
+    inputZipFile.data,
+    { maxOutputLength: 1024 * 1024 * 5 },
+    (err, buffer) => {
+        doSomeThingWithData(buffer);
+    });
+zlib.gunzipSync(inputZipFile.data, { maxOutputLength: 1024 * 1024 * 5 });
+
+inputZipFile.pipe(zlib.createGunzip({ maxOutputLength: 1024 * 1024 * 5 })).pipe(outputFile);
--- a/javascript/ql/test/experimental/Security/CWE-094/UntrustedCheckout.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-094/UntrustedCheckout.qlref
@@ -1 +0,0 @@
-experimental/Security/CWE-094/UntrustedCheckout.ql
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_jszip.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_jszip.expected
@@ -0,0 +1,154 @@
+nodes
+| YargsTests1.js:3:5:3:62 | argv1 |
+| YargsTests1.js:3:13:3:62 | require ... )).argv |
+| YargsTests1.js:3:13:3:62 | require ... )).argv |
+| YargsTests1.js:8:14:8:18 | argv1 |
+| YargsTests1.js:8:14:8:20 | argv1.a |
+| YargsTests1.js:8:14:8:20 | argv1.a |
+| argvTests1.js:4:14:4:20 | argv[2] |
+| argvTests1.js:4:14:4:20 | argv[2] |
+| argvTests1.js:6:15:6:17 | val |
+| argvTests1.js:6:15:6:17 | val |
+| argvTests1.js:7:18:7:20 | val |
+| commanderTests1.js:5:18:5:22 | value |
+| commanderTests1.js:5:18:5:22 | value |
+| commanderTests1.js:5:25:5:32 | previous |
+| commanderTests1.js:5:25:5:32 | previous |
+| commanderTests1.js:6:18:6:25 | previous |
+| commanderTests1.js:7:25:7:29 | value |
+| commanderTests1.js:15:14:15:28 | options.collect |
+| commanderTests1.js:15:14:15:28 | options.collect |
+| commanderTests2.js:10:22:10:40 | this.opts().zipPath |
+| commanderTests2.js:10:22:10:40 | this.opts().zipPath |
+| commanderTests2.js:11:22:11:30 | this.args |
+| commanderTests2.js:11:22:11:30 | this.args |
+| commanderTests2.js:11:22:11:33 | this.args[0] |
+| commanderTests3.js:10:18:10:32 | options.zipPath |
+| commanderTests3.js:10:18:10:32 | options.zipPath |
+| commanderTests3.js:16:14:16:20 | zipPath |
+| commanderTests3.js:16:14:16:20 | zipPath |
+| commanderTests3.js:16:23:16:30 | password |
+| commanderTests3.js:16:23:16:30 | password |
+| commanderTests3.js:17:22:17:28 | zipPath |
+| commanderTests3.js:18:22:18:29 | password |
+| commanderTests3.js:25:23:25:26 | dirs |
+| commanderTests3.js:25:23:25:26 | dirs |
+| commanderTests3.js:26:9:26:12 | dirs |
+| commanderTests3.js:26:23:26:29 | zipPath |
+| commanderTests3.js:26:23:26:29 | zipPath |
+| commanderTests3.js:27:26:27:32 | zipPath |
+| commanderTests3.js:34:26:34:51 | thisCom ... zipPath |
+| commanderTests3.js:34:26:34:51 | thisCom ... zipPath |
+| main-jszip.js:13:22:13:24 | req |
+| main-jszip.js:13:22:13:24 | req |
+| main-jszip.js:14:24:14:26 | req |
+| main-jszip.js:14:24:14:32 | req.files |
+| main-jszip.js:14:24:14:32 | req.files |
+| main-jszip.js:14:24:14:44 | req.fil ... ombFile |
+| main-jszip.js:15:13:15:23 | tmpObj["a"] |
+| main-jszip.js:35:18:35:24 | zipFile |
+| main-jszip.js:35:18:35:24 | zipFile |
+| main-jszip.js:35:18:35:24 | zipFile |
+| main-jszip.js:36:22:36:28 | zipFile |
+| main-jszip.js:36:22:36:28 | zipFile |
+| main-jszip.js:36:22:36:33 | zipFile.data |
+| main-jszip.js:36:22:36:33 | zipFile.data |
+| main-jszip.js:36:22:36:33 | zipFile.data |
+| main-jszip.js:47:23:47:26 | path |
+| main-jszip.js:47:23:47:26 | path |
+| main-jszip.js:47:23:47:26 | path |
+| main-jszip.js:48:17:48:20 | path |
+| main-jszip.js:48:17:48:20 | path |
+| main-jszip.js:49:26:49:29 | data |
+| main-jszip.js:49:26:49:29 | data |
+| main-jszip.js:49:26:49:29 | data |
+| main-jszip.js:51:29:51:32 | data |
+| main-jszip.js:51:29:51:32 | data |
+| main-jszip.js:51:29:51:32 | data |
+edges
+| YargsTests1.js:3:5:3:62 | argv1 | YargsTests1.js:8:14:8:18 | argv1 |
+| YargsTests1.js:3:13:3:62 | require ... )).argv | YargsTests1.js:3:5:3:62 | argv1 |
+| YargsTests1.js:3:13:3:62 | require ... )).argv | YargsTests1.js:3:5:3:62 | argv1 |
+| YargsTests1.js:8:14:8:18 | argv1 | YargsTests1.js:8:14:8:20 | argv1.a |
+| YargsTests1.js:8:14:8:20 | argv1.a | main-jszip.js:47:23:47:26 | path |
+| YargsTests1.js:8:14:8:20 | argv1.a | main-jszip.js:47:23:47:26 | path |
+| argvTests1.js:4:14:4:20 | argv[2] | main-jszip.js:47:23:47:26 | path |
+| argvTests1.js:4:14:4:20 | argv[2] | main-jszip.js:47:23:47:26 | path |
+| argvTests1.js:6:15:6:17 | val | argvTests1.js:7:18:7:20 | val |
+| argvTests1.js:6:15:6:17 | val | argvTests1.js:7:18:7:20 | val |
+| argvTests1.js:7:18:7:20 | val | main-jszip.js:47:23:47:26 | path |
+| commanderTests1.js:5:18:5:22 | value | commanderTests1.js:7:25:7:29 | value |
+| commanderTests1.js:5:18:5:22 | value | commanderTests1.js:7:25:7:29 | value |
+| commanderTests1.js:5:25:5:32 | previous | commanderTests1.js:6:18:6:25 | previous |
+| commanderTests1.js:5:25:5:32 | previous | commanderTests1.js:6:18:6:25 | previous |
+| commanderTests1.js:6:18:6:25 | previous | main-jszip.js:47:23:47:26 | path |
+| commanderTests1.js:7:25:7:29 | value | main-jszip.js:47:23:47:26 | path |
+| commanderTests1.js:15:14:15:28 | options.collect | main-jszip.js:47:23:47:26 | path |
+| commanderTests1.js:15:14:15:28 | options.collect | main-jszip.js:47:23:47:26 | path |
+| commanderTests2.js:10:22:10:40 | this.opts().zipPath | main-jszip.js:47:23:47:26 | path |
+| commanderTests2.js:10:22:10:40 | this.opts().zipPath | main-jszip.js:47:23:47:26 | path |
+| commanderTests2.js:11:22:11:30 | this.args | commanderTests2.js:11:22:11:33 | this.args[0] |
+| commanderTests2.js:11:22:11:30 | this.args | commanderTests2.js:11:22:11:33 | this.args[0] |
+| commanderTests2.js:11:22:11:33 | this.args[0] | main-jszip.js:47:23:47:26 | path |
+| commanderTests3.js:10:18:10:32 | options.zipPath | main-jszip.js:47:23:47:26 | path |
+| commanderTests3.js:10:18:10:32 | options.zipPath | main-jszip.js:47:23:47:26 | path |
+| commanderTests3.js:16:14:16:20 | zipPath | commanderTests3.js:17:22:17:28 | zipPath |
+| commanderTests3.js:16:14:16:20 | zipPath | commanderTests3.js:17:22:17:28 | zipPath |
+| commanderTests3.js:16:23:16:30 | password | commanderTests3.js:18:22:18:29 | password |
+| commanderTests3.js:16:23:16:30 | password | commanderTests3.js:18:22:18:29 | password |
+| commanderTests3.js:17:22:17:28 | zipPath | main-jszip.js:47:23:47:26 | path |
+| commanderTests3.js:18:22:18:29 | password | main-jszip.js:47:23:47:26 | path |
+| commanderTests3.js:25:23:25:26 | dirs | commanderTests3.js:26:9:26:12 | dirs |
+| commanderTests3.js:25:23:25:26 | dirs | commanderTests3.js:26:9:26:12 | dirs |
+| commanderTests3.js:26:9:26:12 | dirs | commanderTests3.js:26:23:26:29 | zipPath |
+| commanderTests3.js:26:23:26:29 | zipPath | commanderTests3.js:27:26:27:32 | zipPath |
+| commanderTests3.js:26:23:26:29 | zipPath | commanderTests3.js:27:26:27:32 | zipPath |
+| commanderTests3.js:27:26:27:32 | zipPath | main-jszip.js:47:23:47:26 | path |
+| commanderTests3.js:34:26:34:51 | thisCom ... zipPath | main-jszip.js:47:23:47:26 | path |
+| commanderTests3.js:34:26:34:51 | thisCom ... zipPath | main-jszip.js:47:23:47:26 | path |
+| main-jszip.js:13:22:13:24 | req | main-jszip.js:14:24:14:26 | req |
+| main-jszip.js:13:22:13:24 | req | main-jszip.js:14:24:14:26 | req |
+| main-jszip.js:14:24:14:26 | req | main-jszip.js:14:24:14:32 | req.files |
+| main-jszip.js:14:24:14:32 | req.files | main-jszip.js:14:24:14:44 | req.fil ... ombFile |
+| main-jszip.js:14:24:14:32 | req.files | main-jszip.js:14:24:14:44 | req.fil ... ombFile |
+| main-jszip.js:14:24:14:44 | req.fil ... ombFile | main-jszip.js:15:13:15:23 | tmpObj["a"] |
+| main-jszip.js:15:13:15:23 | tmpObj["a"] | main-jszip.js:35:18:35:24 | zipFile |
+| main-jszip.js:35:18:35:24 | zipFile | main-jszip.js:36:22:36:28 | zipFile |
+| main-jszip.js:35:18:35:24 | zipFile | main-jszip.js:36:22:36:28 | zipFile |
+| main-jszip.js:35:18:35:24 | zipFile | main-jszip.js:36:22:36:28 | zipFile |
+| main-jszip.js:36:22:36:28 | zipFile | main-jszip.js:36:22:36:33 | zipFile.data |
+| main-jszip.js:36:22:36:28 | zipFile | main-jszip.js:36:22:36:33 | zipFile.data |
+| main-jszip.js:36:22:36:28 | zipFile | main-jszip.js:36:22:36:33 | zipFile.data |
+| main-jszip.js:36:22:36:28 | zipFile | main-jszip.js:36:22:36:33 | zipFile.data |
+| main-jszip.js:47:23:47:26 | path | main-jszip.js:48:17:48:20 | path |
+| main-jszip.js:47:23:47:26 | path | main-jszip.js:48:17:48:20 | path |
+| main-jszip.js:47:23:47:26 | path | main-jszip.js:48:17:48:20 | path |
+| main-jszip.js:48:17:48:20 | path | main-jszip.js:49:26:49:29 | data |
+| main-jszip.js:48:17:48:20 | path | main-jszip.js:49:26:49:29 | data |
+| main-jszip.js:49:26:49:29 | data | main-jszip.js:51:29:51:32 | data |
+| main-jszip.js:49:26:49:29 | data | main-jszip.js:51:29:51:32 | data |
+| main-jszip.js:49:26:49:29 | data | main-jszip.js:51:29:51:32 | data |
+| main-jszip.js:49:26:49:29 | data | main-jszip.js:51:29:51:32 | data |
+| main-jszip.js:49:26:49:29 | data | main-jszip.js:51:29:51:32 | data |
+| main-jszip.js:49:26:49:29 | data | main-jszip.js:51:29:51:32 | data |
+#select
+| main-jszip.js:36:22:36:33 | zipFile.data | main-jszip.js:13:22:13:24 | req | main-jszip.js:36:22:36:33 | zipFile.data | This file extraction depends on a $@. | main-jszip.js:13:22:13:24 | req | potentially untrusted source |
+| main-jszip.js:36:22:36:33 | zipFile.data | main-jszip.js:14:24:14:32 | req.files | main-jszip.js:36:22:36:33 | zipFile.data | This file extraction depends on a $@. | main-jszip.js:14:24:14:32 | req.files | potentially untrusted source |
+| main-jszip.js:36:22:36:33 | zipFile.data | main-jszip.js:35:18:35:24 | zipFile | main-jszip.js:36:22:36:33 | zipFile.data | This file extraction depends on a $@. | main-jszip.js:35:18:35:24 | zipFile | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | YargsTests1.js:3:13:3:62 | require ... )).argv | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | YargsTests1.js:3:13:3:62 | require ... )).argv | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | YargsTests1.js:8:14:8:20 | argv1.a | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | YargsTests1.js:8:14:8:20 | argv1.a | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | argvTests1.js:4:14:4:20 | argv[2] | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | argvTests1.js:4:14:4:20 | argv[2] | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | argvTests1.js:6:15:6:17 | val | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | argvTests1.js:6:15:6:17 | val | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests1.js:5:18:5:22 | value | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests1.js:5:18:5:22 | value | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests1.js:5:25:5:32 | previous | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests1.js:5:25:5:32 | previous | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests1.js:15:14:15:28 | options.collect | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests1.js:15:14:15:28 | options.collect | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests2.js:10:22:10:40 | this.opts().zipPath | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests2.js:10:22:10:40 | this.opts().zipPath | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests2.js:11:22:11:30 | this.args | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests2.js:11:22:11:30 | this.args | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests3.js:10:18:10:32 | options.zipPath | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests3.js:10:18:10:32 | options.zipPath | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests3.js:16:14:16:20 | zipPath | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests3.js:16:14:16:20 | zipPath | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests3.js:16:23:16:30 | password | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests3.js:16:23:16:30 | password | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests3.js:25:23:25:26 | dirs | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests3.js:25:23:25:26 | dirs | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests3.js:26:23:26:29 | zipPath | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests3.js:26:23:26:29 | zipPath | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | commanderTests3.js:34:26:34:51 | thisCom ... zipPath | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | commanderTests3.js:34:26:34:51 | thisCom ... zipPath | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | main-jszip.js:47:23:47:26 | path | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | main-jszip.js:47:23:47:26 | path | potentially untrusted source |
+| main-jszip.js:51:29:51:32 | data | main-jszip.js:49:26:49:29 | data | main-jszip.js:51:29:51:32 | data | This file extraction depends on a $@. | main-jszip.js:49:26:49:29 | data | potentially untrusted source |
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_jszip.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_jszip.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_node-tar.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_node-tar.expected
@@ -0,0 +1,150 @@
+nodes
+| main-node-tar.js:14:22:14:24 | req |
+| main-node-tar.js:14:22:14:24 | req |
+| main-node-tar.js:15:13:15:15 | req |
+| main-node-tar.js:15:13:15:21 | req.files |
+| main-node-tar.js:15:13:15:21 | req.files |
+| main-node-tar.js:15:13:15:33 | req.fil ... ombFile |
+| main-node-tar.js:19:18:19:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile |
+| main-node-tar.js:21:37:21:43 | tarFile |
+| main-node-tar.js:21:37:21:43 | tarFile |
+| main-node-tar.js:21:37:21:48 | tarFile.data |
+| main-node-tar.js:21:37:21:48 | tarFile.data |
+| main-node-tar.js:24:9:24:15 | tar.x() |
+| main-node-tar.js:24:9:24:15 | tar.x() |
+| main-node-tar.js:24:9:24:15 | tar.x() |
+| main-node-tar.js:29:25:29:31 | tarFile |
+| main-node-tar.js:29:25:29:31 | tarFile |
+| main-node-tar.js:29:25:29:36 | tarFile.name |
+| main-node-tar.js:29:25:29:36 | tarFile.name |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:45:25:45:31 | tarFile |
+| main-node-tar.js:45:25:45:31 | tarFile |
+| main-node-tar.js:45:25:45:36 | tarFile.name |
+| main-node-tar.js:45:25:45:36 | tarFile.name |
+| main-node-tar.js:46:9:46:20 | decompressor |
+| main-node-tar.js:46:9:46:20 | decompressor |
+| main-node-tar.js:46:9:46:20 | decompressor |
+| main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:58:12:58:15 | file |
+| main-node-tar.js:58:12:58:15 | file |
+| main-node-tar.js:58:12:58:15 | file |
+| main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:59:18:59:21 | file |
+| main-node-tar.js:59:18:59:21 | file |
+| main-node-tar.js:59:18:59:21 | file |
+| main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:59:24:59:35 | tarFile.name |
+| main-node-tar.js:59:24:59:35 | tarFile.name |
+| main-node-tar.js:59:24:59:35 | tarFile.name |
+| main-node-tar.js:59:24:59:35 | tarFile.name |
+edges
+| main-node-tar.js:14:22:14:24 | req | main-node-tar.js:15:13:15:15 | req |
+| main-node-tar.js:14:22:14:24 | req | main-node-tar.js:15:13:15:15 | req |
+| main-node-tar.js:15:13:15:15 | req | main-node-tar.js:15:13:15:21 | req.files |
+| main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:15:13:15:33 | req.fil ... ombFile |
+| main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:15:13:15:33 | req.fil ... ombFile |
+| main-node-tar.js:15:13:15:33 | req.fil ... ombFile | main-node-tar.js:19:18:19:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:21:37:21:43 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:21:37:21:43 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:21:37:21:43 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:29:25:29:31 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:29:25:29:31 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:29:25:29:31 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:45:25:45:31 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:45:25:45:31 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:45:25:45:31 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:24 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:30 | tarFile |
+| main-node-tar.js:21:37:21:43 | tarFile | main-node-tar.js:21:37:21:48 | tarFile.data |
+| main-node-tar.js:21:37:21:43 | tarFile | main-node-tar.js:21:37:21:48 | tarFile.data |
+| main-node-tar.js:21:37:21:48 | tarFile.data | main-node-tar.js:24:9:24:15 | tar.x() |
+| main-node-tar.js:21:37:21:48 | tarFile.data | main-node-tar.js:24:9:24:15 | tar.x() |
+| main-node-tar.js:21:37:21:48 | tarFile.data | main-node-tar.js:24:9:24:15 | tar.x() |
+| main-node-tar.js:21:37:21:48 | tarFile.data | main-node-tar.js:24:9:24:15 | tar.x() |
+| main-node-tar.js:29:25:29:31 | tarFile | main-node-tar.js:29:25:29:36 | tarFile.name |
+| main-node-tar.js:29:25:29:31 | tarFile | main-node-tar.js:29:25:29:36 | tarFile.name |
+| main-node-tar.js:29:25:29:36 | tarFile.name | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:29:25:29:36 | tarFile.name | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:29:25:29:36 | tarFile.name | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:29:25:29:36 | tarFile.name | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) |
+| main-node-tar.js:45:25:45:31 | tarFile | main-node-tar.js:45:25:45:36 | tarFile.name |
+| main-node-tar.js:45:25:45:31 | tarFile | main-node-tar.js:45:25:45:36 | tarFile.name |
+| main-node-tar.js:45:25:45:36 | tarFile.name | main-node-tar.js:46:9:46:20 | decompressor |
+| main-node-tar.js:45:25:45:36 | tarFile.name | main-node-tar.js:46:9:46:20 | decompressor |
+| main-node-tar.js:45:25:45:36 | tarFile.name | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:45:25:45:36 | tarFile.name | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:45:25:45:36 | tarFile.name | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:45:25:45:36 | tarFile.name | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:46:9:46:20 | decompressor | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:46:9:46:20 | decompressor | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:46:9:46:20 | decompressor | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:46:9:46:20 | decompressor | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:46:9:46:20 | decompressor | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:46:9:46:20 | decompressor | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) |
+| main-node-tar.js:58:12:58:15 | file | main-node-tar.js:58:12:58:15 | file |
+| main-node-tar.js:58:18:58:24 | tarFile | main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:58:18:58:24 | tarFile | main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:58:18:58:24 | tarFile | main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:58:18:58:24 | tarFile | main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:58:18:58:29 | tarFile.name | main-node-tar.js:58:18:58:29 | tarFile.name |
+| main-node-tar.js:59:18:59:21 | file | main-node-tar.js:59:18:59:21 | file |
+| main-node-tar.js:59:24:59:30 | tarFile | main-node-tar.js:59:24:59:35 | tarFile.name |
+| main-node-tar.js:59:24:59:30 | tarFile | main-node-tar.js:59:24:59:35 | tarFile.name |
+| main-node-tar.js:59:24:59:30 | tarFile | main-node-tar.js:59:24:59:35 | tarFile.name |
+| main-node-tar.js:59:24:59:30 | tarFile | main-node-tar.js:59:24:59:35 | tarFile.name |
+| main-node-tar.js:59:24:59:35 | tarFile.name | main-node-tar.js:59:24:59:35 | tarFile.name |
+#select
+| main-node-tar.js:24:9:24:15 | tar.x() | main-node-tar.js:14:22:14:24 | req | main-node-tar.js:24:9:24:15 | tar.x() | This file extraction depends on a $@. | main-node-tar.js:14:22:14:24 | req | potentially untrusted source |
+| main-node-tar.js:24:9:24:15 | tar.x() | main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:24:9:24:15 | tar.x() | This file extraction depends on a $@. | main-node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
+| main-node-tar.js:24:9:24:15 | tar.x() | main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:24:9:24:15 | tar.x() | This file extraction depends on a $@. | main-node-tar.js:19:18:19:24 | tarFile | potentially untrusted source |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | main-node-tar.js:14:22:14:24 | req | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:14:22:14:24 | req | potentially untrusted source |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:19:18:19:24 | tarFile | potentially untrusted source |
+| main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:30:9:33:10 | tar.x({ ...      }) | potentially untrusted source |
+| main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | main-node-tar.js:14:22:14:24 | req | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:14:22:14:24 | req | potentially untrusted source |
+| main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
+| main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:19:18:19:24 | tarFile | potentially untrusted source |
+| main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | main-node-tar.js:46:9:46:20 | decompressor | main-node-tar.js:48:9:50:10 | tar.x({ ...      }) | This file extraction depends on a $@. | main-node-tar.js:46:9:46:20 | decompressor | potentially untrusted source |
+| main-node-tar.js:58:12:58:15 | file | main-node-tar.js:58:12:58:15 | file | main-node-tar.js:58:12:58:15 | file | This file extraction depends on a $@. | main-node-tar.js:58:12:58:15 | file | potentially untrusted source |
+| main-node-tar.js:58:18:58:24 | tarFile | main-node-tar.js:14:22:14:24 | req | main-node-tar.js:58:18:58:24 | tarFile | This file extraction depends on a $@. | main-node-tar.js:14:22:14:24 | req | potentially untrusted source |
+| main-node-tar.js:58:18:58:24 | tarFile | main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:58:18:58:24 | tarFile | This file extraction depends on a $@. | main-node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
+| main-node-tar.js:58:18:58:24 | tarFile | main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:24 | tarFile | This file extraction depends on a $@. | main-node-tar.js:19:18:19:24 | tarFile | potentially untrusted source |
+| main-node-tar.js:58:18:58:29 | tarFile.name | main-node-tar.js:14:22:14:24 | req | main-node-tar.js:58:18:58:29 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:14:22:14:24 | req | potentially untrusted source |
+| main-node-tar.js:58:18:58:29 | tarFile.name | main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:58:18:58:29 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
+| main-node-tar.js:58:18:58:29 | tarFile.name | main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:58:18:58:29 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:19:18:19:24 | tarFile | potentially untrusted source |
+| main-node-tar.js:58:18:58:29 | tarFile.name | main-node-tar.js:58:18:58:29 | tarFile.name | main-node-tar.js:58:18:58:29 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:58:18:58:29 | tarFile.name | potentially untrusted source |
+| main-node-tar.js:59:18:59:21 | file | main-node-tar.js:59:18:59:21 | file | main-node-tar.js:59:18:59:21 | file | This file extraction depends on a $@. | main-node-tar.js:59:18:59:21 | file | potentially untrusted source |
+| main-node-tar.js:59:24:59:30 | tarFile | main-node-tar.js:14:22:14:24 | req | main-node-tar.js:59:24:59:30 | tarFile | This file extraction depends on a $@. | main-node-tar.js:14:22:14:24 | req | potentially untrusted source |
+| main-node-tar.js:59:24:59:30 | tarFile | main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:59:24:59:30 | tarFile | This file extraction depends on a $@. | main-node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
+| main-node-tar.js:59:24:59:30 | tarFile | main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:30 | tarFile | This file extraction depends on a $@. | main-node-tar.js:19:18:19:24 | tarFile | potentially untrusted source |
+| main-node-tar.js:59:24:59:35 | tarFile.name | main-node-tar.js:14:22:14:24 | req | main-node-tar.js:59:24:59:35 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:14:22:14:24 | req | potentially untrusted source |
+| main-node-tar.js:59:24:59:35 | tarFile.name | main-node-tar.js:15:13:15:21 | req.files | main-node-tar.js:59:24:59:35 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
+| main-node-tar.js:59:24:59:35 | tarFile.name | main-node-tar.js:19:18:19:24 | tarFile | main-node-tar.js:59:24:59:35 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:19:18:19:24 | tarFile | potentially untrusted source |
+| main-node-tar.js:59:24:59:35 | tarFile.name | main-node-tar.js:59:24:59:35 | tarFile.name | main-node-tar.js:59:24:59:35 | tarFile.name | This file extraction depends on a $@. | main-node-tar.js:59:24:59:35 | tarFile.name | potentially untrusted source |
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_node-tar.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_node-tar.qlref
@@ -0,0 +1,2 @@
+experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql
+
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.expected
@@ -0,0 +1,348 @@
+nodes
+| main-adm-zip.js:31:22:31:24 | req |
+| main-adm-zip.js:31:22:31:24 | req |
+| main-adm-zip.js:32:13:32:15 | req |
+| main-adm-zip.js:32:13:32:21 | req.files |
+| main-adm-zip.js:32:13:32:21 | req.files |
+| main-adm-zip.js:32:13:32:33 | req.fil ... ombFile |
+| main-adm-zip.js:36:18:36:24 | tarFile |
+| main-adm-zip.js:36:18:36:24 | tarFile |
+| main-adm-zip.js:36:18:36:24 | tarFile |
+| main-adm-zip.js:43:22:43:28 | tarFile |
+| main-adm-zip.js:43:22:43:28 | tarFile |
+| main-adm-zip.js:43:22:43:33 | tarFile.data |
+| main-adm-zip.js:43:22:43:33 | tarFile.data |
+| main-adm-zip.js:43:22:43:33 | tarFile.data |
+| main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-pako.js:11:22:11:24 | req |
+| main-pako.js:11:22:11:24 | req |
+| main-pako.js:12:14:12:16 | req |
+| main-pako.js:12:14:12:22 | req.files |
+| main-pako.js:12:14:12:22 | req.files |
+| main-pako.js:12:14:12:34 | req.fil ... ombFile |
+| main-pako.js:13:14:13:16 | req |
+| main-pako.js:13:14:13:22 | req.files |
+| main-pako.js:13:14:13:22 | req.files |
+| main-pako.js:13:14:13:34 | req.fil ... ombFile |
+| main-pako.js:17:19:17:25 | zipFile |
+| main-pako.js:17:19:17:25 | zipFile |
+| main-pako.js:17:19:17:25 | zipFile |
+| main-pako.js:18:11:18:68 | myArray |
+| main-pako.js:18:11:18:68 | myArray |
+| main-pako.js:18:21:18:68 | Buffer. ... uffer)) |
+| main-pako.js:18:21:18:68 | Buffer. ... uffer)) |
+| main-pako.js:18:33:18:67 | new Uin ... buffer) |
+| main-pako.js:18:33:18:67 | new Uin ... buffer) |
+| main-pako.js:18:48:18:54 | zipFile |
+| main-pako.js:18:48:18:54 | zipFile |
+| main-pako.js:18:48:18:59 | zipFile.data |
+| main-pako.js:18:48:18:59 | zipFile.data |
+| main-pako.js:18:48:18:66 | zipFile.data.buffer |
+| main-pako.js:18:48:18:66 | zipFile.data.buffer |
+| main-pako.js:21:31:21:37 | myArray |
+| main-pako.js:21:31:21:37 | myArray |
+| main-pako.js:21:31:21:37 | myArray |
+| main-pako.js:28:19:28:25 | zipFile |
+| main-pako.js:28:19:28:25 | zipFile |
+| main-pako.js:28:19:28:25 | zipFile |
+| main-pako.js:29:11:29:62 | myArray |
+| main-pako.js:29:11:29:62 | myArray |
+| main-pako.js:29:21:29:55 | new Uin ... buffer) |
+| main-pako.js:29:21:29:55 | new Uin ... buffer) |
+| main-pako.js:29:21:29:62 | new Uin ... .buffer |
+| main-pako.js:29:21:29:62 | new Uin ... .buffer |
+| main-pako.js:29:36:29:42 | zipFile |
+| main-pako.js:29:36:29:42 | zipFile |
+| main-pako.js:29:36:29:47 | zipFile.data |
+| main-pako.js:29:36:29:47 | zipFile.data |
+| main-pako.js:29:36:29:54 | zipFile.data.buffer |
+| main-pako.js:29:36:29:54 | zipFile.data.buffer |
+| main-pako.js:32:31:32:37 | myArray |
+| main-pako.js:32:31:32:37 | myArray |
+| main-pako.js:32:31:32:37 | myArray |
+| main-zlib.js:14:22:14:24 | req |
+| main-zlib.js:14:22:14:24 | req |
+| main-zlib.js:15:19:15:21 | req |
+| main-zlib.js:15:19:15:27 | req.files |
+| main-zlib.js:15:19:15:27 | req.files |
+| main-zlib.js:15:19:15:39 | req.fil ... ombFile |
+| main-zlib.js:17:18:17:20 | req |
+| main-zlib.js:17:18:17:26 | req.files |
+| main-zlib.js:17:18:17:26 | req.files |
+| main-zlib.js:17:18:17:38 | req.fil ... ombFile |
+| main-zlib.js:19:24:19:26 | req |
+| main-zlib.js:19:24:19:32 | req.files |
+| main-zlib.js:19:24:19:32 | req.files |
+| main-zlib.js:19:24:19:44 | req.fil ... ombFile |
+| main-zlib.js:25:24:25:30 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile |
+| main-zlib.js:27:9:27:15 | zipFile |
+| main-zlib.js:27:9:27:15 | zipFile |
+| main-zlib.js:27:9:27:20 | zipFile.data |
+| main-zlib.js:27:9:27:20 | zipFile.data |
+| main-zlib.js:27:9:27:20 | zipFile.data |
+| main-zlib.js:31:9:31:15 | zipFile |
+| main-zlib.js:31:9:31:15 | zipFile |
+| main-zlib.js:31:9:31:20 | zipFile.data |
+| main-zlib.js:31:9:31:20 | zipFile.data |
+| main-zlib.js:31:9:31:20 | zipFile.data |
+| main-zlib.js:36:9:36:15 | zipFile |
+| main-zlib.js:36:9:36:15 | zipFile |
+| main-zlib.js:36:9:36:20 | zipFile.data |
+| main-zlib.js:36:9:36:20 | zipFile.data |
+| main-zlib.js:36:9:36:20 | zipFile.data |
+| main-zlib.js:60:23:60:29 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile |
+| main-zlib.js:61:21:61:27 | zipFile |
+| main-zlib.js:61:21:61:27 | zipFile |
+| main-zlib.js:61:21:61:32 | zipFile.data |
+| main-zlib.js:61:21:61:32 | zipFile.data |
+| main-zlib.js:61:21:61:32 | zipFile.data |
+| main-zlib.js:62:20:62:26 | zipFile |
+| main-zlib.js:62:20:62:26 | zipFile |
+| main-zlib.js:62:20:62:31 | zipFile.data |
+| main-zlib.js:62:20:62:31 | zipFile.data |
+| main-zlib.js:62:20:62:31 | zipFile.data |
+| main-zlib.js:63:31:63:37 | zipFile |
+| main-zlib.js:63:31:63:37 | zipFile |
+| main-zlib.js:63:31:63:42 | zipFile.data |
+| main-zlib.js:63:31:63:42 | zipFile.data |
+| main-zlib.js:63:31:63:42 | zipFile.data |
+| main-zlib.js:72:29:72:35 | zipFile |
+| main-zlib.js:72:29:72:35 | zipFile |
+| main-zlib.js:72:29:72:35 | zipFile |
+| main-zlib.js:73:37:73:43 | zipFile |
+| main-zlib.js:73:37:73:43 | zipFile |
+| main-zlib.js:73:37:73:48 | zipFile.data |
+| main-zlib.js:73:37:73:48 | zipFile.data |
+| main-zlib.js:75:20:75:38 | zlib.createGunzip() |
+| main-zlib.js:75:20:75:38 | zlib.createGunzip() |
+| main-zlib.js:75:20:75:38 | zlib.createGunzip() |
+| main-zlib.js:76:20:76:37 | zlib.createUnzip() |
+| main-zlib.js:76:20:76:37 | zlib.createUnzip() |
+| main-zlib.js:76:20:76:37 | zlib.createUnzip() |
+| main-zlib.js:77:20:77:48 | zlib.cr ... press() |
+| main-zlib.js:77:20:77:48 | zlib.cr ... press() |
+| main-zlib.js:77:20:77:48 | zlib.cr ... press() |
+edges
+| main-adm-zip.js:31:22:31:24 | req | main-adm-zip.js:32:13:32:15 | req |
+| main-adm-zip.js:31:22:31:24 | req | main-adm-zip.js:32:13:32:15 | req |
+| main-adm-zip.js:32:13:32:15 | req | main-adm-zip.js:32:13:32:21 | req.files |
+| main-adm-zip.js:32:13:32:21 | req.files | main-adm-zip.js:32:13:32:33 | req.fil ... ombFile |
+| main-adm-zip.js:32:13:32:21 | req.files | main-adm-zip.js:32:13:32:33 | req.fil ... ombFile |
+| main-adm-zip.js:32:13:32:33 | req.fil ... ombFile | main-adm-zip.js:36:18:36:24 | tarFile |
+| main-adm-zip.js:36:18:36:24 | tarFile | main-adm-zip.js:43:22:43:28 | tarFile |
+| main-adm-zip.js:36:18:36:24 | tarFile | main-adm-zip.js:43:22:43:28 | tarFile |
+| main-adm-zip.js:36:18:36:24 | tarFile | main-adm-zip.js:43:22:43:28 | tarFile |
+| main-adm-zip.js:43:22:43:28 | tarFile | main-adm-zip.js:43:22:43:33 | tarFile.data |
+| main-adm-zip.js:43:22:43:28 | tarFile | main-adm-zip.js:43:22:43:33 | tarFile.data |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:47:25:47:42 | zipEntry.getData() |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:53:5:53:55 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:55:5:55:38 | admZip. ... , true) |
+| main-pako.js:11:22:11:24 | req | main-pako.js:12:14:12:16 | req |
+| main-pako.js:11:22:11:24 | req | main-pako.js:12:14:12:16 | req |
+| main-pako.js:11:22:11:24 | req | main-pako.js:13:14:13:16 | req |
+| main-pako.js:11:22:11:24 | req | main-pako.js:13:14:13:16 | req |
+| main-pako.js:12:14:12:16 | req | main-pako.js:12:14:12:22 | req.files |
+| main-pako.js:12:14:12:22 | req.files | main-pako.js:12:14:12:34 | req.fil ... ombFile |
+| main-pako.js:12:14:12:22 | req.files | main-pako.js:12:14:12:34 | req.fil ... ombFile |
+| main-pako.js:12:14:12:34 | req.fil ... ombFile | main-pako.js:17:19:17:25 | zipFile |
+| main-pako.js:13:14:13:16 | req | main-pako.js:13:14:13:22 | req.files |
+| main-pako.js:13:14:13:22 | req.files | main-pako.js:13:14:13:34 | req.fil ... ombFile |
+| main-pako.js:13:14:13:22 | req.files | main-pako.js:13:14:13:34 | req.fil ... ombFile |
+| main-pako.js:13:14:13:34 | req.fil ... ombFile | main-pako.js:28:19:28:25 | zipFile |
+| main-pako.js:17:19:17:25 | zipFile | main-pako.js:18:48:18:54 | zipFile |
+| main-pako.js:17:19:17:25 | zipFile | main-pako.js:18:48:18:54 | zipFile |
+| main-pako.js:17:19:17:25 | zipFile | main-pako.js:18:48:18:54 | zipFile |
+| main-pako.js:18:11:18:68 | myArray | main-pako.js:21:31:21:37 | myArray |
+| main-pako.js:18:11:18:68 | myArray | main-pako.js:21:31:21:37 | myArray |
+| main-pako.js:18:11:18:68 | myArray | main-pako.js:21:31:21:37 | myArray |
+| main-pako.js:18:11:18:68 | myArray | main-pako.js:21:31:21:37 | myArray |
+| main-pako.js:18:21:18:68 | Buffer. ... uffer)) | main-pako.js:18:11:18:68 | myArray |
+| main-pako.js:18:21:18:68 | Buffer. ... uffer)) | main-pako.js:18:11:18:68 | myArray |
+| main-pako.js:18:33:18:67 | new Uin ... buffer) | main-pako.js:18:21:18:68 | Buffer. ... uffer)) |
+| main-pako.js:18:33:18:67 | new Uin ... buffer) | main-pako.js:18:21:18:68 | Buffer. ... uffer)) |
+| main-pako.js:18:48:18:54 | zipFile | main-pako.js:18:48:18:59 | zipFile.data |
+| main-pako.js:18:48:18:54 | zipFile | main-pako.js:18:48:18:59 | zipFile.data |
+| main-pako.js:18:48:18:59 | zipFile.data | main-pako.js:18:48:18:66 | zipFile.data.buffer |
+| main-pako.js:18:48:18:59 | zipFile.data | main-pako.js:18:48:18:66 | zipFile.data.buffer |
+| main-pako.js:18:48:18:66 | zipFile.data.buffer | main-pako.js:18:33:18:67 | new Uin ... buffer) |
+| main-pako.js:18:48:18:66 | zipFile.data.buffer | main-pako.js:18:33:18:67 | new Uin ... buffer) |
+| main-pako.js:28:19:28:25 | zipFile | main-pako.js:29:36:29:42 | zipFile |
+| main-pako.js:28:19:28:25 | zipFile | main-pako.js:29:36:29:42 | zipFile |
+| main-pako.js:28:19:28:25 | zipFile | main-pako.js:29:36:29:42 | zipFile |
+| main-pako.js:29:11:29:62 | myArray | main-pako.js:32:31:32:37 | myArray |
+| main-pako.js:29:11:29:62 | myArray | main-pako.js:32:31:32:37 | myArray |
+| main-pako.js:29:11:29:62 | myArray | main-pako.js:32:31:32:37 | myArray |
+| main-pako.js:29:11:29:62 | myArray | main-pako.js:32:31:32:37 | myArray |
+| main-pako.js:29:21:29:55 | new Uin ... buffer) | main-pako.js:29:21:29:62 | new Uin ... .buffer |
+| main-pako.js:29:21:29:55 | new Uin ... buffer) | main-pako.js:29:21:29:62 | new Uin ... .buffer |
+| main-pako.js:29:21:29:62 | new Uin ... .buffer | main-pako.js:29:11:29:62 | myArray |
+| main-pako.js:29:21:29:62 | new Uin ... .buffer | main-pako.js:29:11:29:62 | myArray |
+| main-pako.js:29:36:29:42 | zipFile | main-pako.js:29:36:29:47 | zipFile.data |
+| main-pako.js:29:36:29:42 | zipFile | main-pako.js:29:36:29:47 | zipFile.data |
+| main-pako.js:29:36:29:47 | zipFile.data | main-pako.js:29:36:29:54 | zipFile.data.buffer |
+| main-pako.js:29:36:29:47 | zipFile.data | main-pako.js:29:36:29:54 | zipFile.data.buffer |
+| main-pako.js:29:36:29:54 | zipFile.data.buffer | main-pako.js:29:21:29:55 | new Uin ... buffer) |
+| main-pako.js:29:36:29:54 | zipFile.data.buffer | main-pako.js:29:21:29:55 | new Uin ... buffer) |
+| main-zlib.js:14:22:14:24 | req | main-zlib.js:15:19:15:21 | req |
+| main-zlib.js:14:22:14:24 | req | main-zlib.js:15:19:15:21 | req |
+| main-zlib.js:14:22:14:24 | req | main-zlib.js:17:18:17:20 | req |
+| main-zlib.js:14:22:14:24 | req | main-zlib.js:17:18:17:20 | req |
+| main-zlib.js:14:22:14:24 | req | main-zlib.js:19:24:19:26 | req |
+| main-zlib.js:14:22:14:24 | req | main-zlib.js:19:24:19:26 | req |
+| main-zlib.js:15:19:15:21 | req | main-zlib.js:15:19:15:27 | req.files |
+| main-zlib.js:15:19:15:27 | req.files | main-zlib.js:15:19:15:39 | req.fil ... ombFile |
+| main-zlib.js:15:19:15:27 | req.files | main-zlib.js:15:19:15:39 | req.fil ... ombFile |
+| main-zlib.js:15:19:15:39 | req.fil ... ombFile | main-zlib.js:25:24:25:30 | zipFile |
+| main-zlib.js:17:18:17:20 | req | main-zlib.js:17:18:17:26 | req.files |
+| main-zlib.js:17:18:17:26 | req.files | main-zlib.js:17:18:17:38 | req.fil ... ombFile |
+| main-zlib.js:17:18:17:26 | req.files | main-zlib.js:17:18:17:38 | req.fil ... ombFile |
+| main-zlib.js:17:18:17:38 | req.fil ... ombFile | main-zlib.js:60:23:60:29 | zipFile |
+| main-zlib.js:19:24:19:26 | req | main-zlib.js:19:24:19:32 | req.files |
+| main-zlib.js:19:24:19:32 | req.files | main-zlib.js:19:24:19:44 | req.fil ... ombFile |
+| main-zlib.js:19:24:19:32 | req.files | main-zlib.js:19:24:19:44 | req.fil ... ombFile |
+| main-zlib.js:19:24:19:44 | req.fil ... ombFile | main-zlib.js:72:29:72:35 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:27:9:27:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:27:9:27:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:27:9:27:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:31:9:31:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:31:9:31:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:31:9:31:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:36:9:36:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:36:9:36:15 | zipFile |
+| main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:36:9:36:15 | zipFile |
+| main-zlib.js:27:9:27:15 | zipFile | main-zlib.js:27:9:27:20 | zipFile.data |
+| main-zlib.js:27:9:27:15 | zipFile | main-zlib.js:27:9:27:20 | zipFile.data |
+| main-zlib.js:27:9:27:15 | zipFile | main-zlib.js:27:9:27:20 | zipFile.data |
+| main-zlib.js:27:9:27:15 | zipFile | main-zlib.js:27:9:27:20 | zipFile.data |
+| main-zlib.js:31:9:31:15 | zipFile | main-zlib.js:31:9:31:20 | zipFile.data |
+| main-zlib.js:31:9:31:15 | zipFile | main-zlib.js:31:9:31:20 | zipFile.data |
+| main-zlib.js:31:9:31:15 | zipFile | main-zlib.js:31:9:31:20 | zipFile.data |
+| main-zlib.js:31:9:31:15 | zipFile | main-zlib.js:31:9:31:20 | zipFile.data |
+| main-zlib.js:36:9:36:15 | zipFile | main-zlib.js:36:9:36:20 | zipFile.data |
+| main-zlib.js:36:9:36:15 | zipFile | main-zlib.js:36:9:36:20 | zipFile.data |
+| main-zlib.js:36:9:36:15 | zipFile | main-zlib.js:36:9:36:20 | zipFile.data |
+| main-zlib.js:36:9:36:15 | zipFile | main-zlib.js:36:9:36:20 | zipFile.data |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:61:21:61:27 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:61:21:61:27 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:61:21:61:27 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:62:20:62:26 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:62:20:62:26 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:62:20:62:26 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:63:31:63:37 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:63:31:63:37 | zipFile |
+| main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:63:31:63:37 | zipFile |
+| main-zlib.js:61:21:61:27 | zipFile | main-zlib.js:61:21:61:32 | zipFile.data |
+| main-zlib.js:61:21:61:27 | zipFile | main-zlib.js:61:21:61:32 | zipFile.data |
+| main-zlib.js:61:21:61:27 | zipFile | main-zlib.js:61:21:61:32 | zipFile.data |
+| main-zlib.js:61:21:61:27 | zipFile | main-zlib.js:61:21:61:32 | zipFile.data |
+| main-zlib.js:62:20:62:26 | zipFile | main-zlib.js:62:20:62:31 | zipFile.data |
+| main-zlib.js:62:20:62:26 | zipFile | main-zlib.js:62:20:62:31 | zipFile.data |
+| main-zlib.js:62:20:62:26 | zipFile | main-zlib.js:62:20:62:31 | zipFile.data |
+| main-zlib.js:62:20:62:26 | zipFile | main-zlib.js:62:20:62:31 | zipFile.data |
+| main-zlib.js:63:31:63:37 | zipFile | main-zlib.js:63:31:63:42 | zipFile.data |
+| main-zlib.js:63:31:63:37 | zipFile | main-zlib.js:63:31:63:42 | zipFile.data |
+| main-zlib.js:63:31:63:37 | zipFile | main-zlib.js:63:31:63:42 | zipFile.data |
+| main-zlib.js:63:31:63:37 | zipFile | main-zlib.js:63:31:63:42 | zipFile.data |
+| main-zlib.js:72:29:72:35 | zipFile | main-zlib.js:73:37:73:43 | zipFile |
+| main-zlib.js:72:29:72:35 | zipFile | main-zlib.js:73:37:73:43 | zipFile |
+| main-zlib.js:72:29:72:35 | zipFile | main-zlib.js:73:37:73:43 | zipFile |
+| main-zlib.js:73:37:73:43 | zipFile | main-zlib.js:73:37:73:48 | zipFile.data |
+| main-zlib.js:73:37:73:43 | zipFile | main-zlib.js:73:37:73:48 | zipFile.data |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:75:20:75:38 | zlib.createGunzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:75:20:75:38 | zlib.createGunzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:75:20:75:38 | zlib.createGunzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:75:20:75:38 | zlib.createGunzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:76:20:76:37 | zlib.createUnzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:76:20:76:37 | zlib.createUnzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:76:20:76:37 | zlib.createUnzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:76:20:76:37 | zlib.createUnzip() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:77:20:77:48 | zlib.cr ... press() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:77:20:77:48 | zlib.cr ... press() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:77:20:77:48 | zlib.cr ... press() |
+| main-zlib.js:73:37:73:48 | zipFile.data | main-zlib.js:77:20:77:48 | zlib.cr ... press() |
+#select
+| main-adm-zip.js:47:25:47:42 | zipEntry.getData() | main-adm-zip.js:31:22:31:24 | req | main-adm-zip.js:47:25:47:42 | zipEntry.getData() | This file extraction depends on a $@. | main-adm-zip.js:31:22:31:24 | req | potentially untrusted source |
+| main-adm-zip.js:47:25:47:42 | zipEntry.getData() | main-adm-zip.js:32:13:32:21 | req.files | main-adm-zip.js:47:25:47:42 | zipEntry.getData() | This file extraction depends on a $@. | main-adm-zip.js:32:13:32:21 | req.files | potentially untrusted source |
+| main-adm-zip.js:47:25:47:42 | zipEntry.getData() | main-adm-zip.js:36:18:36:24 | tarFile | main-adm-zip.js:47:25:47:42 | zipEntry.getData() | This file extraction depends on a $@. | main-adm-zip.js:36:18:36:24 | tarFile | potentially untrusted source |
+| main-adm-zip.js:47:25:47:42 | zipEntry.getData() | main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:47:25:47:42 | zipEntry.getData() | This file extraction depends on a $@. | main-adm-zip.js:43:22:43:33 | tarFile.data | potentially untrusted source |
+| main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | main-adm-zip.js:31:22:31:24 | req | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | This file extraction depends on a $@. | main-adm-zip.js:31:22:31:24 | req | potentially untrusted source |
+| main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | main-adm-zip.js:32:13:32:21 | req.files | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | This file extraction depends on a $@. | main-adm-zip.js:32:13:32:21 | req.files | potentially untrusted source |
+| main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | main-adm-zip.js:36:18:36:24 | tarFile | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | This file extraction depends on a $@. | main-adm-zip.js:36:18:36:24 | tarFile | potentially untrusted source |
+| main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:51:17:51:41 | admZip. ... "10GB") | This file extraction depends on a $@. | main-adm-zip.js:43:22:43:33 | tarFile.data | potentially untrusted source |
+| main-adm-zip.js:53:5:53:55 | admZip. ... , true) | main-adm-zip.js:31:22:31:24 | req | main-adm-zip.js:53:5:53:55 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:31:22:31:24 | req | potentially untrusted source |
+| main-adm-zip.js:53:5:53:55 | admZip. ... , true) | main-adm-zip.js:32:13:32:21 | req.files | main-adm-zip.js:53:5:53:55 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:32:13:32:21 | req.files | potentially untrusted source |
+| main-adm-zip.js:53:5:53:55 | admZip. ... , true) | main-adm-zip.js:36:18:36:24 | tarFile | main-adm-zip.js:53:5:53:55 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:36:18:36:24 | tarFile | potentially untrusted source |
+| main-adm-zip.js:53:5:53:55 | admZip. ... , true) | main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:53:5:53:55 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:43:22:43:33 | tarFile.data | potentially untrusted source |
+| main-adm-zip.js:55:5:55:38 | admZip. ... , true) | main-adm-zip.js:31:22:31:24 | req | main-adm-zip.js:55:5:55:38 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:31:22:31:24 | req | potentially untrusted source |
+| main-adm-zip.js:55:5:55:38 | admZip. ... , true) | main-adm-zip.js:32:13:32:21 | req.files | main-adm-zip.js:55:5:55:38 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:32:13:32:21 | req.files | potentially untrusted source |
+| main-adm-zip.js:55:5:55:38 | admZip. ... , true) | main-adm-zip.js:36:18:36:24 | tarFile | main-adm-zip.js:55:5:55:38 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:36:18:36:24 | tarFile | potentially untrusted source |
+| main-adm-zip.js:55:5:55:38 | admZip. ... , true) | main-adm-zip.js:43:22:43:33 | tarFile.data | main-adm-zip.js:55:5:55:38 | admZip. ... , true) | This file extraction depends on a $@. | main-adm-zip.js:43:22:43:33 | tarFile.data | potentially untrusted source |
+| main-pako.js:21:31:21:37 | myArray | main-pako.js:11:22:11:24 | req | main-pako.js:21:31:21:37 | myArray | This file extraction depends on a $@. | main-pako.js:11:22:11:24 | req | potentially untrusted source |
+| main-pako.js:21:31:21:37 | myArray | main-pako.js:12:14:12:22 | req.files | main-pako.js:21:31:21:37 | myArray | This file extraction depends on a $@. | main-pako.js:12:14:12:22 | req.files | potentially untrusted source |
+| main-pako.js:21:31:21:37 | myArray | main-pako.js:17:19:17:25 | zipFile | main-pako.js:21:31:21:37 | myArray | This file extraction depends on a $@. | main-pako.js:17:19:17:25 | zipFile | potentially untrusted source |
+| main-pako.js:32:31:32:37 | myArray | main-pako.js:11:22:11:24 | req | main-pako.js:32:31:32:37 | myArray | This file extraction depends on a $@. | main-pako.js:11:22:11:24 | req | potentially untrusted source |
+| main-pako.js:32:31:32:37 | myArray | main-pako.js:13:14:13:22 | req.files | main-pako.js:32:31:32:37 | myArray | This file extraction depends on a $@. | main-pako.js:13:14:13:22 | req.files | potentially untrusted source |
+| main-pako.js:32:31:32:37 | myArray | main-pako.js:28:19:28:25 | zipFile | main-pako.js:32:31:32:37 | myArray | This file extraction depends on a $@. | main-pako.js:28:19:28:25 | zipFile | potentially untrusted source |
+| main-zlib.js:27:9:27:20 | zipFile.data | main-zlib.js:14:22:14:24 | req | main-zlib.js:27:9:27:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:27:9:27:20 | zipFile.data | main-zlib.js:15:19:15:27 | req.files | main-zlib.js:27:9:27:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:15:19:15:27 | req.files | potentially untrusted source |
+| main-zlib.js:27:9:27:20 | zipFile.data | main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:27:9:27:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:25:24:25:30 | zipFile | potentially untrusted source |
+| main-zlib.js:31:9:31:20 | zipFile.data | main-zlib.js:14:22:14:24 | req | main-zlib.js:31:9:31:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:31:9:31:20 | zipFile.data | main-zlib.js:15:19:15:27 | req.files | main-zlib.js:31:9:31:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:15:19:15:27 | req.files | potentially untrusted source |
+| main-zlib.js:31:9:31:20 | zipFile.data | main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:31:9:31:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:25:24:25:30 | zipFile | potentially untrusted source |
+| main-zlib.js:36:9:36:20 | zipFile.data | main-zlib.js:14:22:14:24 | req | main-zlib.js:36:9:36:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:36:9:36:20 | zipFile.data | main-zlib.js:15:19:15:27 | req.files | main-zlib.js:36:9:36:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:15:19:15:27 | req.files | potentially untrusted source |
+| main-zlib.js:36:9:36:20 | zipFile.data | main-zlib.js:25:24:25:30 | zipFile | main-zlib.js:36:9:36:20 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:25:24:25:30 | zipFile | potentially untrusted source |
+| main-zlib.js:61:21:61:32 | zipFile.data | main-zlib.js:14:22:14:24 | req | main-zlib.js:61:21:61:32 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:61:21:61:32 | zipFile.data | main-zlib.js:17:18:17:26 | req.files | main-zlib.js:61:21:61:32 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:17:18:17:26 | req.files | potentially untrusted source |
+| main-zlib.js:61:21:61:32 | zipFile.data | main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:61:21:61:32 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:60:23:60:29 | zipFile | potentially untrusted source |
+| main-zlib.js:62:20:62:31 | zipFile.data | main-zlib.js:14:22:14:24 | req | main-zlib.js:62:20:62:31 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:62:20:62:31 | zipFile.data | main-zlib.js:17:18:17:26 | req.files | main-zlib.js:62:20:62:31 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:17:18:17:26 | req.files | potentially untrusted source |
+| main-zlib.js:62:20:62:31 | zipFile.data | main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:62:20:62:31 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:60:23:60:29 | zipFile | potentially untrusted source |
+| main-zlib.js:63:31:63:42 | zipFile.data | main-zlib.js:14:22:14:24 | req | main-zlib.js:63:31:63:42 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:63:31:63:42 | zipFile.data | main-zlib.js:17:18:17:26 | req.files | main-zlib.js:63:31:63:42 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:17:18:17:26 | req.files | potentially untrusted source |
+| main-zlib.js:63:31:63:42 | zipFile.data | main-zlib.js:60:23:60:29 | zipFile | main-zlib.js:63:31:63:42 | zipFile.data | This file extraction depends on a $@. | main-zlib.js:60:23:60:29 | zipFile | potentially untrusted source |
+| main-zlib.js:75:20:75:38 | zlib.createGunzip() | main-zlib.js:14:22:14:24 | req | main-zlib.js:75:20:75:38 | zlib.createGunzip() | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:75:20:75:38 | zlib.createGunzip() | main-zlib.js:19:24:19:32 | req.files | main-zlib.js:75:20:75:38 | zlib.createGunzip() | This file extraction depends on a $@. | main-zlib.js:19:24:19:32 | req.files | potentially untrusted source |
+| main-zlib.js:75:20:75:38 | zlib.createGunzip() | main-zlib.js:72:29:72:35 | zipFile | main-zlib.js:75:20:75:38 | zlib.createGunzip() | This file extraction depends on a $@. | main-zlib.js:72:29:72:35 | zipFile | potentially untrusted source |
+| main-zlib.js:76:20:76:37 | zlib.createUnzip() | main-zlib.js:14:22:14:24 | req | main-zlib.js:76:20:76:37 | zlib.createUnzip() | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:76:20:76:37 | zlib.createUnzip() | main-zlib.js:19:24:19:32 | req.files | main-zlib.js:76:20:76:37 | zlib.createUnzip() | This file extraction depends on a $@. | main-zlib.js:19:24:19:32 | req.files | potentially untrusted source |
+| main-zlib.js:76:20:76:37 | zlib.createUnzip() | main-zlib.js:72:29:72:35 | zipFile | main-zlib.js:76:20:76:37 | zlib.createUnzip() | This file extraction depends on a $@. | main-zlib.js:72:29:72:35 | zipFile | potentially untrusted source |
+| main-zlib.js:77:20:77:48 | zlib.cr ... press() | main-zlib.js:14:22:14:24 | req | main-zlib.js:77:20:77:48 | zlib.cr ... press() | This file extraction depends on a $@. | main-zlib.js:14:22:14:24 | req | potentially untrusted source |
+| main-zlib.js:77:20:77:48 | zlib.cr ... press() | main-zlib.js:19:24:19:32 | req.files | main-zlib.js:77:20:77:48 | zlib.cr ... press() | This file extraction depends on a $@. | main-zlib.js:19:24:19:32 | req.files | potentially untrusted source |
+| main-zlib.js:77:20:77:48 | zlib.cr ... press() | main-zlib.js:72:29:72:35 | zipFile | main-zlib.js:77:20:77:48 | zlib.cr ... press() | This file extraction depends on a $@. | main-zlib.js:72:29:72:35 | zipFile | potentially untrusted source |
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.ql
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/YargsTests1.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/YargsTests1.js
@@ -0,0 +1,14 @@
+import { localZipLoad } from "./main-jszip";
+
+var argv1 = require('yargs/yargs')(process.argv.slice(2)).argv;
+
+console.log(argv1.a, argv1.b);
+// https://github.com/yargs/yargs/blob/main/docs/examples.md#and-non-hyphenated-options-too-just-use-argv_
+console.log(argv1._);
+localZipLoad(argv1.a)
+// // https://github.com/yargs/yargs/blob/main/docs/examples.md#after-your-demands-have-been-met-demand-more-ask-for-non-hyphenated-arguments
+var argv2 = require('yargs/yargs')(process.argv.slice(2))
+    .demandCommand(2)
+    .argv;
+console.dir(argv2._);
+localZipLoad(argv2.a)
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/argvTests1.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/argvTests1.js
@@ -0,0 +1,8 @@
+import {localZipLoad} from "./main-jszip";
+
+const {argv} = require('node:process');
+localZipLoad(argv[2])
+localZipLoad(process.argv[2])
+argv.forEach((val, index) => {
+    localZipLoad(val)
+});
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/commanderTests1.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/commanderTests1.js
@@ -0,0 +1,21 @@
+const { Command } = require('commander');
+const program = new Command();
+import { localZipLoad } from "./main-jszip";
+
+function collect(value, previous) {
+    localZipLoad(previous);
+    return localZipLoad(value);
+}
+
+program.option('-c, --collect <value>', 'repeatable value', collect, []);
+
+program.parse();
+
+const options = program.opts();
+localZipLoad(options.collect);
+// Try the following:
+//    node options-custom-processing -f 1e2
+//    node options-custom-processing --integer 2
+//    node options-custom-processing -v -v -v
+//    node options-custom-processing -c a -c b -c c
+//    node options-custom-processing --list x,y,z
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/commanderTests2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/commanderTests2.js
@@ -0,0 +1,17 @@
+const {Command} = require('commander');
+const program = new Command();
+import {localZipLoad} from "./main-jszip";
+
+program
+    .command('serve')
+    .argument('<script>')
+    .option('-p, --port <number>', 'port number', 80)
+    .action(function () {
+        localZipLoad(this.opts().zipPath);
+        localZipLoad(this.args[0]);
+    });
+
+program.parse();
+
+// Try the following:
+//    node action-this.js serve --port 8080 index.js
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/commanderTests3.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/commanderTests3.js
@@ -0,0 +1,36 @@
+const commander
+    = require('commander');
+const program = new commander.Command();
+import {localZipLoad} from "./main-jszip";
+
+program.option('-p, --zip-path <type>', 'path of zipFile');
+program.parse(process.argv);
+const options = program.opts();
+if (options.zipPath) {
+    localZipLoad(options.zipPath)
+}
+program
+    .version('0.1.0')
+    .argument('<username>', 'user to login')
+    .argument('[password]', 'password for user, if required', 'no password given')
+    .action((zipPath, password) => {
+        localZipLoad(zipPath);
+        localZipLoad(password);
+    });
+
+program
+    .version('0.1.0')
+    .command('rmdir')
+    .argument('<dirs...>')
+    .action(function (dirs) {
+        dirs.forEach((zipPath) => {
+            localZipLoad(zipPath);
+        });
+    });
+program
+    .option('--env <filename>', 'specify environment file')
+    .hook('preSubcommand', (thisCommand, subcommand) => {
+        if (thisCommand.opts().zipPath) {
+            localZipLoad(thisCommand.opts().zipPath);
+        }
+    });
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-adm-zip.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-adm-zip.js
@@ -0,0 +1,56 @@
+// const AdmZip = require("adm-zip");
+//
+// // reading archives
+// var zip = new AdmZip("/home/am/0_WorkDir/1_CodeQL Workspace/Bombs scripts and payloads/2GB.zip");
+// var zipEntries = zip.getEntries(); // an array of ZipEntry records
+//
+// zipEntries.forEach(function (zipEntry) {
+//     console.log(zipEntry.toString()); // outputs zip entries information
+//     if (zipEntry.entryName == "my_file.txt") {
+//         console.log(zipEntry.getData().toString("utf8"));
+//     }
+// });
+// // outputs the content of some_folder/my_file.txt
+// console.log(zip.readAsText("10GB"));
+// // extracts the specified file to the specified location
+// zip.extractEntryTo("10GB", "/home/me/tempfolder", false, true);
+// // extracts everything
+// zip.extractAllTo("./tmp", true);
+
+const AdmZip = require("adm-zip");
+const express = require('express')
+const fileUpload = require("express-fileupload");
+const fs = require("fs");
+const app = express();
+const port = 3000;
+app.use(fileUpload());
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+});
+
+app.post('/upload', (req, res) => {
+    zipBomb(req.files.zipBombFile)
+    res.send('Hello World!')
+});
+
+function zipBomb(tarFile) {
+    fs.writeFileSync(tarFile.name, tarFile.data);
+    // or using fs.writeFile
+
+    // file path is a tmp file name that can get from DB after saving to DB with remote file upload
+    // so the input file name will come from a DB source
+    const admZip
+        = new AdmZip(tarFile.data);
+    const zipEntries = admZip.getEntries();
+    zipEntries.forEach(function (zipEntry) {
+        if (zipEntry.entryName === "my_file.txt") {
+            console.log(zipEntry.getData().toString("utf8"));
+        }
+    });
+    // outputs the content of file named 10GB
+    console.log(admZip.readAsText("10GB"));
+    // extracts the specified file to the specified location
+    admZip.extractEntryTo("10GB", "/tmp/", false, true);
+    // extracts everything
+    admZip.extractAllTo("./tmp", true);
+}
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-jszip.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-jszip.js
@@ -0,0 +1,59 @@
+const jszipp = require("jszip");
+const express = require('express')
+const fileUpload = require("express-fileupload");
+const fs = require("fs");
+const JSZip = require("jszip");
+const app = express();
+const port = 3000;
+app.use(fileUpload());
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+});
+
+app.post('/upload', (req, res) => {
+    let tmpObj = {"a": req.files.zipBombFile}
+    zipBomb(tmpObj["a"])
+    zipBombSafe(tmpObj["a"])
+    res.send("OK")
+});
+
+function zipBombSafe(zipFile) {
+    jszipp.loadAsync(zipFile.data).then(function (zip) {
+        if (zip.file("10GB")["_data"]["uncompressedSize"] > 1024 * 1024 * 8) {
+            console.log("error")
+            return
+        }
+        zip.files["10GB"].async("uint8array").then(function (u8) {
+            console.log(u8);
+        });
+        zip.file("10GB").async("uint8array").then(function (u8) {
+            console.log(u8);
+        });
+    });
+}
+
+function zipBomb(zipFile) {
+    jszipp.loadAsync(zipFile.data).then(function (zip) {
+        zip.files["10GB"].async("uint8array").then(function (u8) {
+            console.log(u8);
+        });
+        zip.file("10GB").async("uint8array").then(function (u8) {
+            console.log(u8);
+        });
+    });
+}
+
+// local example
+function localZipLoad(path) {
+    fs.readFile(path
+        , function (err, data) {
+            if (err) throw err;
+            JSZip.loadAsync(data).then((zip) => {
+                console.log(zip);
+                console.log(zip.files["10GB"]);
+            });
+        });
+
+}
+
+module.exports = {localZipLoad};
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-node-tar.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-node-tar.js
@@ -0,0 +1,67 @@
+const tar = require("tar");
+const express = require('express')
+const fileUpload = require("express-fileupload");
+const {Readable, writeFileSync} = require("stream");
+const fs = require("fs");
+const {createGunzip} = require("zlib");
+const app = express();
+const port = 3000;
+app.use(fileUpload());
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+});
+
+app.post('/upload', (req, res) => {
+    zipBomb(req.files.zipBombFile)
+    res.send('Hello World!')
+});
+
+function zipBomb(tarFile) {
+    // scenario 1
+    const inputFile = Readable.from(tarFile.data);
+    const outputFile = fs.createWriteStream('/tmp/untar');
+    inputFile.pipe(
+        tar.x()
+    ).pipe(outputFile);
+
+    // scenario 2
+    fs.writeFileSync(tarFile.name, tarFile.data);
+    fs.createReadStream(tarFile.name).pipe(
+        tar.x({
+            strip: 1,
+            C: 'some-dir'
+        })
+    )
+    // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90
+    fs.createReadStream(tarFile.name).pipe(
+        tar.x({
+            strip: 1,
+            C: 'some-dir',
+            maxReadSize: 16 * 1024 * 1024 // 16 MB
+        })
+    )
+    // scenario 3
+    const decompressor = createGunzip();
+    fs.createReadStream(tarFile.name).pipe(
+        decompressor
+    ).pipe(
+        tar.x({
+            cwd: "dest"
+        })
+    )
+
+    // scenario 4
+    fs.writeFileSync(tarFile.name, tarFile.data);
+    // or using fs.writeFile
+    // file path is a tmp file name that can get from DB after saving to DB with remote file upload
+    // so the input file name will come from a DB source
+    tar.x({file: tarFile.name})
+    tar.extract({file: tarFile.name})
+    // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90
+    tar.x({
+        file: tarFile.name,
+        strip: 1,
+        C: 'some-dir',
+        maxReadSize: 16 * 1024 * 1024 // 16 MB
+    })
+}
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-pako.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-pako.js
@@ -0,0 +1,52 @@
+const pako = require('pako');
+const express = require('express')
+const fileUpload = require("express-fileupload");
+const app = express();
+const port = 3000;
+app.use(fileUpload());
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+});
+
+app.post('/upload', (req, res) => {
+    zipBomb1(req.files.zipBombFile);
+    zipBomb2(req.files.zipBombFile);
+    res.send('Hello World!');
+});
+
+function zipBomb1(zipFile) {
+    const myArray = Buffer.from(new Uint8Array(zipFile.data.buffer));
+    let output;
+    try {
+        output = pako.inflate(myArray);
+        console.log(output);
+    } catch (err) {
+        console.log(err);
+    }
+}
+
+function zipBomb2(zipFile) {
+    const myArray = new Uint8Array(zipFile.data.buffer).buffer;
+    let output;
+    try {
+        output = pako.inflate(myArray);
+        console.log(output);
+    } catch (err) {
+        console.log(err);
+    }
+}
+
+
+//
+// const pako = require('pako');
+// const fs = require("fs")
+// const myArrayBuffer = fs.readFileSync("/home/am/0_WorkDir/1_CodeQL Workspace/Bombs scripts and payloads/bomb.tar.gzip", null).buffer;
+// // const myArray = new Uint16Array(toArrayBuffer(myArrayBuffer));
+// // const myArray = Buffer.from(new Uint8Array(myArrayBuffer));
+// const myArray = new Uint8Array(myArrayBuffer).buffer;
+// try {
+//     output = pako.inflate(myArray);
+//     console.log(output)
+// } catch (err) {
+//     console.log(err);
+// }
--- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-zlib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/main-zlib.js
@@ -0,0 +1,86 @@
+const fs = require("fs");
+const zlib = require("zlib");
+const {Readable} = require('stream');
+
+const express = require('express');
+const fileUpload = require("express-fileupload");
+const app = express();
+const port = 3000;
+app.use(fileUpload());
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+});
+
+app.post('/upload', (req, res) => {
+    zlibBombAsync(req.files.zipBombFile)
+    zlibBombAsyncSafe(req.files.zipBombFile);
+    zlibBombSync(req.files.zipBombFile)
+    zlibBombSyncSafe(req.files.zipBombFile)
+    zlibBombPipeStream(req.files.zipBombFile)
+    zlibBombPipeStreamSafe(req.files.zipBombFile)
+    res.send('Hello World!')
+});
+
+
+function zlibBombAsync(zipFile) {
+    zlib.gunzip(
+        zipFile.data,
+        (err, buffer) => {
+        });
+    zlib.unzip(
+        zipFile.data,
+        (err, buffer) => {
+        });
+
+    zlib.brotliDecompress(
+        zipFile.data,
+        (err, buffer) => {
+        });
+}
+
+function zlibBombAsyncSafe(zipFile) {
+    zlib.gunzip(
+        zipFile.data,
+        {maxOutputLength: 1024 * 1024 * 5},
+        (err, buffer) => {
+        });
+    zlib.unzip(
+        zipFile.data,
+        {maxOutputLength: 1024 * 1024 * 5},
+        (err, buffer) => {
+        });
+
+    zlib.brotliDecompress(
+        zipFile.data,
+        {maxOutputLength: 1024 * 1024 * 5},
+        (err, buffer) => {
+        });
+}
+
+function zlibBombSync(zipFile) {
+    zlib.gunzipSync(zipFile.data, {finishFlush: zlib.constants.Z_SYNC_FLUSH});
+    zlib.unzipSync(zipFile.data);
+    zlib.brotliDecompressSync(zipFile.data);
+}
+
+function zlibBombSyncSafe(zipFile) {
+    zlib.gunzipSync(zipFile.data, {finishFlush: zlib.constants.Z_SYNC_FLUSH, maxOutputLength: 1024 * 1024 * 5});
+    zlib.unzipSync(zipFile.data, {maxOutputLength: 1024 * 1024 * 5});
+    zlib.brotliDecompressSync(zipFile.data, {maxOutputLength: 1024 * 1024 * 5});
+}
+
+function zlibBombPipeStream(zipFile) {
+    const inputFile = Readable.from(zipFile.data);
+    const outputFile = fs.createWriteStream('unzip.txt');
+    inputFile.pipe(zlib.createGunzip()).pipe(outputFile);
+    inputFile.pipe(zlib.createUnzip()).pipe(outputFile);
+    inputFile.pipe(zlib.createBrotliDecompress()).pipe(outputFile);
+}
+
+function zlibBombPipeStreamSafe(zipFile) {
+    const inputFile = Readable.from(zipFile.data);
+    const outputFile = fs.createWriteStream('unzip.txt');
+    inputFile.pipe(zlib.createGunzip({maxOutputLength: 1024 * 1024 * 5})).pipe(outputFile);
+    inputFile.pipe(zlib.createUnzip({maxOutputLength: 1024 * 1024 * 5})).pipe(outputFile);
+    inputFile.pipe(zlib.createBrotliDecompress({maxOutputLength: 1024 * 1024 * 5})).pipe(outputFile);
+}
				`@@ -1 +0,0 @@`
				`experimental/Security/CWE-094/UntrustedCheckout.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql`
				`@@ -0,0 +1,2 @@`
				`experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql`