Merge branch 'main' into refacReDoS

2026-05-05 13:45:19 +02:00 · 2022-08-09 16:18:46 +02:00
parent 9bc12ed8fd add9e9dac4
commit 49276b1f38
1452 changed files with 75078 additions and 71169 deletions
--- a/javascript/ql/test/query-tests/Performance/ReDoS/lib/subLib5/feature.js
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/lib/subLib5/feature.js
@@ -0,0 +1,3 @@
+module.exports = function (name) {
+	/a*b/.test(name); // NOT OK
+};
--- a/javascript/ql/test/query-tests/Performance/ReDoS/lib/subLib5/main.js
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/lib/subLib5/main.js
@@ -0,0 +1,3 @@
+module.exports = function (name) {
+	/a*b/.test(name); // NOT OK
+};
--- a/javascript/ql/test/query-tests/Performance/ReDoS/lib/subLib5/package.json
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/lib/subLib5/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "my-sub-lib",
+  "version": "0.0.7",
+  "main": "./main.js",
+  "exports": {
+    ".": "./main.js",
+    "./feature": {
+      "default": "./feature.js"
+    }
+  }
+}
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -3235,6 +3235,92 @@ nodes
 | tainted-access-paths.js:40:23:40:26 | path |
 | tainted-access-paths.js:40:23:40:26 | path |
 | tainted-access-paths.js:40:23:40:26 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
@@ -8759,6 +8845,118 @@ edges
 | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:39:14:39:37 | url.par ... , true) |
 | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:39:14:39:37 | url.par ... , true) |
 | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:39:14:39:37 | url.par ... , true) |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") |
 | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") |
@@ -10000,6 +10198,7 @@ edges
 | tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:40:23:40:26 | path | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:40:23:40:26 | path | This path depends on $@. | tainted-access-paths.js:39:24:39:30 | req.url | a user-provided value |
+| tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on $@. | tainted-access-paths.js:48:24:48:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | This path depends on $@. | tainted-require.js:12:29:12:47 | req.param("module") | a user-provided value |
 | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | This path depends on $@. | tainted-require.js:14:11:14:29 | req.param("module") | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
@@ -40,4 +40,11 @@ var server2 = http.createServer(function(req, res) {
  nodefs.readFileSync(path); // NOT OK
 });

-server2.listen();
+server2.listen();
+
+const chownr = require("chownr");
+
+var server3 = http.createServer(function (req, res) {
+  let path = url.parse(req.url, true).query.path;
+  chownr(path, "someuid", "somegid", function (err) {}); // NOT OK
+});
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -1026,6 +1026,10 @@ nodes
 | tst.js:476:20:476:22 | url |
 | tst.js:486:22:486:24 | url |
 | tst.js:486:22:486:24 | url |
+| tst.js:491:23:491:35 | location.hash |
+| tst.js:491:23:491:35 | location.hash |
+| tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:45 | locatio ... bstr(1) |
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:45 | documen ... .search |
 | typeahead.js:20:22:20:45 | documen ... .search |
@@ -2081,6 +2085,10 @@ edges
 | tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
 | tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
 | tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
@@ -2354,6 +2362,7 @@ edges
 | tst.js:475:25:475:27 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:475:25:475:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
 | tst.js:476:20:476:22 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:476:20:476:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
 | tst.js:486:22:486:24 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:486:22:486:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
+| tst.js:491:23:491:45 | locatio ... bstr(1) | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:491:23:491:35 | location.hash | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -1038,6 +1038,10 @@ nodes
 | tst.js:476:20:476:22 | url |
 | tst.js:486:22:486:24 | url |
 | tst.js:486:22:486:24 | url |
+| tst.js:491:23:491:35 | location.hash |
+| tst.js:491:23:491:35 | location.hash |
+| tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:45 | locatio ... bstr(1) |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
@@ -2143,6 +2147,10 @@ edges
 | tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
 | tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
 | tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
+| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
@@ -487,4 +487,6 @@ function urlStuff() {
  }

  window.open(location.hash.substr(1)); // OK - any JavaScript is executed in another context
-}
+
+  navigation.navigate(location.hash.substr(1)); // NOT OK
+}
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -46,6 +46,16 @@ nodes
 | main.js:66:35:66:41 | attrVal |
 | main.js:67:63:67:69 | attrVal |
 | main.js:67:63:67:69 | attrVal |
+| main.js:79:34:79:36 | val |
+| main.js:79:34:79:36 | val |
+| main.js:81:35:81:37 | val |
+| main.js:81:35:81:37 | val |
+| main.js:89:21:89:21 | x |
+| main.js:90:23:90:23 | x |
+| main.js:90:23:90:23 | x |
+| main.js:93:43:93:43 | x |
+| main.js:93:43:93:43 | x |
+| main.js:94:31:94:31 | x |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:2:29:2:29 | s |
@@ -107,6 +117,15 @@ edges
 | main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal |
 | main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal |
 | main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal |
+| main.js:79:34:79:36 | val | main.js:81:35:81:37 | val |
+| main.js:79:34:79:36 | val | main.js:81:35:81:37 | val |
+| main.js:79:34:79:36 | val | main.js:81:35:81:37 | val |
+| main.js:79:34:79:36 | val | main.js:81:35:81:37 | val |
+| main.js:89:21:89:21 | x | main.js:90:23:90:23 | x |
+| main.js:89:21:89:21 | x | main.js:90:23:90:23 | x |
+| main.js:93:43:93:43 | x | main.js:94:31:94:31 | x |
+| main.js:93:43:93:43 | x | main.js:94:31:94:31 | x |
+| main.js:94:31:94:31 | x | main.js:89:21:89:21 | x |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
@@ -132,5 +151,7 @@ edges
 | main.js:47:65:47:73 | this.step | main.js:52:41:52:41 | s | main.js:47:65:47:73 | this.step | $@ based on $@ might later cause $@. | main.js:47:65:47:73 | this.step | HTML construction | main.js:52:41:52:41 | s | library input | main.js:47:54:47:85 | "<span> ... /span>" | cross-site scripting |
 | main.js:62:19:62:31 | settings.name | main.js:56:28:56:34 | options | main.js:62:19:62:31 | settings.name | $@ based on $@ might later cause $@. | main.js:62:19:62:31 | settings.name | HTML construction | main.js:56:28:56:34 | options | library input | main.js:62:11:62:40 | "<b>" + ...  "</b>" | cross-site scripting |
 | main.js:67:63:67:69 | attrVal | main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal | $@ based on $@ might later cause $@. | main.js:67:63:67:69 | attrVal | HTML construction | main.js:66:35:66:41 | attrVal | library input | main.js:67:47:67:78 | "<img a ...  "\\"/>" | cross-site scripting |
+| main.js:81:35:81:37 | val | main.js:79:34:79:36 | val | main.js:81:35:81:37 | val | $@ based on $@ might later cause $@. | main.js:81:35:81:37 | val | HTML construction | main.js:79:34:79:36 | val | library input | main.js:81:24:81:49 | "<span> ... /span>" | cross-site scripting |
+| main.js:90:23:90:23 | x | main.js:93:43:93:43 | x | main.js:90:23:90:23 | x | $@ based on $@ might later cause $@. | main.js:90:23:90:23 | x | HTML construction | main.js:93:43:93:43 | x | library input | main.js:94:20:94:32 | createHTML(x) | cross-site scripting |
 | typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | $@ based on $@ might later cause $@. | typed.ts:2:29:2:29 | s | HTML construction | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting |
 | typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | $@ based on $@ might later cause $@. | typed.ts:8:40:8:40 | s | HTML construction | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | "<span> ... /span>" | cross-site scripting |
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
@@ -75,3 +75,21 @@ module.exports.intentionalTemplate = function (obj) {
    const html = "<span>" + obj.spanTemplate + "</span>"; // OK
    document.querySelector("#template").innerHTML = html;
 }
+
+module.exports.types = function (val) {
+    if (typeof val === "string") {
+        $("#foo").html("<span>" + val + "</span>"); // NOT OK
+    } else if (typeof val === "number") {
+        $("#foo").html("<span>" + val + "</span>"); // OK
+    } else if (typeof val === "boolean") {
+        $("#foo").html("<span>" + val + "</span>"); // OK
+    }
+}
+
+function createHTML(x) {
+    return "<span>" + x + "</span>"; // NOT OK
+}
+
+module.exports.usesCreateHTML = function (x) {
+    $("#foo").html(createHTML(x));
+}
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
@@ -11,6 +11,10 @@ nodes
 | lib/index.js:13:38:13:41 | data |
 | lib/index.js:14:21:14:24 | data |
 | lib/index.js:14:21:14:24 | data |
+| lib/index.js:19:26:19:29 | data |
+| lib/index.js:19:26:19:29 | data |
+| lib/index.js:22:7:22:10 | data |
+| lib/index.js:22:7:22:10 | data |
 edges
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
@@ -24,7 +28,12 @@ edges
 | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
 | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
 | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
 #select
 | lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
 | lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |
 | lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | $@ flows to here and is later $@. | lib/index.js:13:38:13:41 | data | Library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code |
+| lib/index.js:22:7:22:10 | data | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data | $@ flows to here and is later $@. | lib/index.js:19:26:19:29 | data | Library input | lib/index.js:25:24:25:26 | str | interpreted as code |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
@@ -12,4 +12,24 @@ export function safeAssignment(obj, value) {

 global.unsafeDeserialize = function (data) {
  return eval("(" + data + ")"); // NOT OK
-}
+}
+
+const matter = require("gray-matter");
+
+export function greySink(data) {
+    const str = `
+    ---js
+    ${data}
+    ---
+    `
+    const res = matter(str);
+    console.log(res);
+
+    matter(str, { // OK
+        engines: {
+            js: function (data) {
+                console.log("NOPE");
+            }
+        }
+    });
+}
--- a/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.expected
@@ -0,0 +1,3 @@
+| tst.js:8:9:8:19 | /\\/foo\\/.*/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/' will bypass the middleware. | tst.js:8:9:8:19 | /\\/foo\\/.*/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
+| tst.js:14:5:14:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO' will bypass the middleware. | tst.js:14:5:14:28 | new Reg ... (.*)?') | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
+| tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/' will bypass the middleware. | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
--- a/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.qlref
@@ -0,0 +1 @@
+Security/CWE-178/CaseSensitiveMiddlewarePath.ql
--- a/javascript/ql/test/query-tests/Security/CWE-178/charclass.js
+++ b/javascript/ql/test/query-tests/Security/CWE-178/charclass.js
@@ -0,0 +1,9 @@
+const express = require('express');
+const app = express();
+
+app.get(/\/[a-zA-Z]+/, (req, res, next) => { // OK - regexp term is case insensitive
+    next();
+});
+
+app.get('/foo', (req, res) => {
+});
--- a/javascript/ql/test/query-tests/Security/CWE-178/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-178/tst.js
@@ -0,0 +1,61 @@
+const express = require('express');
+const app = express();
+const unknown = require('~something/blah');
+
+app.all(/\/.*/, unknown()); // OK - does not contain letters
+app.all(/\/.*/i, unknown()); // OK
+
+app.all(/\/foo\/.*/, unknown()); // NOT OK
+app.all(/\/foo\/.*/i, unknown()); // OK - case insensitive
+
+app.use(/\/x\/#\d{6}/, express.static('images/')); // OK - not a middleware
+
+app.get(
+    new RegExp('^/foo(.*)?'), // NOT OK - case sensitive
+    unknown(),
+    function(req, res, next) {
+        if (req.params.blah) {
+            next();
+        }
+    }
+);
+
+app.get(
+    new RegExp('^/foo(.*)?', 'i'), // OK - case insensitive
+    unknown(),
+    function(req, res, next) {
+        if (req.params.blah) {
+            next();
+        }
+    }
+);
+
+app.get(
+    new RegExp('^/foo(.*)?'), // OK - not a middleware
+    unknown(),
+    function(req,res) {
+        res.send('Hello World!');
+    }
+);
+
+app.use(/\/foo\/([0-9]+)/, (req, res, next) => { // NOT OK - case sensitive
+    unknown(req);
+    next();
+});
+
+app.use(/\/foo\/([0-9]+)/i, (req, res, next) => { // OK - case insensitive
+    unknown(req);
+    next();
+});
+
+
+app.use(/\/foo\/([0-9]+)/, (req, res) => { // OK - not middleware
+    unknown(req, res);
+});
+
+app.use(/\/foo\/([0-9]+)/i, (req, res) => { // OK - not middleware (also case insensitive)
+    unknown(req, res);
+});
+
+app.get('/foo/:param', (req, res) => { // OK - not a middleware
+});
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected
@@ -38,6 +38,8 @@
 | lib/snapdragon.js:15:26:15:27 | a* | Strings starting with 'a' and with many repetitions of 'a' can start matching anywhere after the start of the preceeding aa*$ |
 | lib/snapdragon.js:23:22:23:23 | a* | Strings starting with 'a' and with many repetitions of 'a' can start matching anywhere after the start of the preceeding aa*$ |
 | lib/subLib4/factory.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
+| lib/subLib5/feature.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
+| lib/subLib5/main.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/sublib/factory.js:13:14:13:15 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | polynomial-redos.js:7:24:7:26 | \\s+ | Strings with many repetitions of '\\t' can start matching anywhere after the start of the preceeding \\s+$ |
 | polynomial-redos.js:8:17:8:18 |  * | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding  *, * |
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialReDoS.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialReDoS.expected
@@ -51,6 +51,14 @@ nodes
 | lib/subLib4/factory.js:7:27:7:30 | name |
 | lib/subLib4/factory.js:8:13:8:16 | name |
 | lib/subLib4/factory.js:8:13:8:16 | name |
+| lib/subLib5/feature.js:1:28:1:31 | name |
+| lib/subLib5/feature.js:1:28:1:31 | name |
+| lib/subLib5/feature.js:2:13:2:16 | name |
+| lib/subLib5/feature.js:2:13:2:16 | name |
+| lib/subLib5/main.js:1:28:1:31 | name |
+| lib/subLib5/main.js:1:28:1:31 | name |
+| lib/subLib5/main.js:2:13:2:16 | name |
+| lib/subLib5/main.js:2:13:2:16 | name |
 | lib/sublib/factory.js:12:26:12:29 | name |
 | lib/sublib/factory.js:12:26:12:29 | name |
 | lib/sublib/factory.js:13:24:13:27 | name |
@@ -256,6 +264,14 @@ edges
 | lib/subLib4/factory.js:7:27:7:30 | name | lib/subLib4/factory.js:8:13:8:16 | name |
 | lib/subLib4/factory.js:7:27:7:30 | name | lib/subLib4/factory.js:8:13:8:16 | name |
 | lib/subLib4/factory.js:7:27:7:30 | name | lib/subLib4/factory.js:8:13:8:16 | name |
+| lib/subLib5/feature.js:1:28:1:31 | name | lib/subLib5/feature.js:2:13:2:16 | name |
+| lib/subLib5/feature.js:1:28:1:31 | name | lib/subLib5/feature.js:2:13:2:16 | name |
+| lib/subLib5/feature.js:1:28:1:31 | name | lib/subLib5/feature.js:2:13:2:16 | name |
+| lib/subLib5/feature.js:1:28:1:31 | name | lib/subLib5/feature.js:2:13:2:16 | name |
+| lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name |
+| lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name |
+| lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name |
+| lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
@@ -418,6 +434,8 @@ edges
 | lib/snapdragon.js:15:13:15:30 | this.match(/aa*$/) | lib/snapdragon.js:12:34:12:38 | input | lib/snapdragon.js:15:13:15:16 | this | This $@ that depends on $@ may run slow on strings starting with 'a' and with many repetitions of 'a'. | lib/snapdragon.js:15:26:15:27 | a* | regular expression | lib/snapdragon.js:12:34:12:38 | input | library input |
 | lib/snapdragon.js:23:5:23:26 | node.va ... /aa*$/) | lib/snapdragon.js:20:34:20:38 | input | lib/snapdragon.js:23:5:23:12 | node.val | This $@ that depends on $@ may run slow on strings starting with 'a' and with many repetitions of 'a'. | lib/snapdragon.js:23:22:23:23 | a* | regular expression | lib/snapdragon.js:20:34:20:38 | input | library input |
 | lib/subLib4/factory.js:8:2:8:17 | /f*g/.test(name) | lib/subLib4/factory.js:7:27:7:30 | name | lib/subLib4/factory.js:8:13:8:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/subLib4/factory.js:8:3:8:4 | f* | regular expression | lib/subLib4/factory.js:7:27:7:30 | name | library input |
+| lib/subLib5/feature.js:2:2:2:17 | /a*b/.test(name) | lib/subLib5/feature.js:1:28:1:31 | name | lib/subLib5/feature.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/subLib5/feature.js:2:3:2:4 | a* | regular expression | lib/subLib5/feature.js:1:28:1:31 | name | library input |
+| lib/subLib5/main.js:2:2:2:17 | /a*b/.test(name) | lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/subLib5/main.js:2:3:2:4 | a* | regular expression | lib/subLib5/main.js:1:28:1:31 | name | library input |
 | lib/sublib/factory.js:13:13:13:28 | /f*g/.test(name) | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/sublib/factory.js:13:14:13:15 | f* | regular expression | lib/sublib/factory.js:12:26:12:29 | name | library input |
 | polynomial-redos.js:7:2:7:34 | tainted ... /g, '') | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:7:2:7:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of '\\t'. | polynomial-redos.js:7:24:7:26 | \\s+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:8:2:8:23 | tainted ...  *, */) | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:8:2:8:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | polynomial-redos.js:8:17:8:18 |  * | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
				`@@ -0,0 +1 @@`
				`Security/CWE-178/CaseSensitiveMiddlewarePath.ql`