Merge pull request #4708 from erik-krogh/emptyName

Approved by asgerf

javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected

@@ -16,6 +16,7 @@
 | private-file-exposure.js:22:1:22:58 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
 | private-file-exposure.js:40:1:40:88 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
 | private-file-exposure.js:41:1:41:97 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
-| private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder , which can contain private information. |
+| private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder, which can contain private information. |
 | private-file-exposure.js:43:1:43:46 | app.use ... )("/")) | Serves the root folder, which can contain private information. |
 | private-file-exposure.js:51:5:51:88 | app.use ... les'))) | Serves the folder "../node_modules", which can contain private information. |
+| subfolder/private-file-exposure-2.js:6:1:6:34 | app.use ... rname)) | Serves the folder query-tests/Security/CWE-200/subfolder, which can contain private information. |

javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js

@@ -59,4 +59,6 @@ function good() {
 
     app.use("jquery", express.static('./node_modules/jquery/dist')); // OK
     app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); // OK
-}
+}
+
+app.use(express.static(__dirname)) // NOT OK

javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json

@@ -0,0 +1 @@
+{}

javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js

@@ -0,0 +1,6 @@
+var express = require('express');
+var http = require('http')
+var app = express()
+var server = http.createServer(app)
+// Static files:
+app.use(express.static(__dirname))