merge commit

2026-05-21 06:37:10 +02:00 · 2024-08-19 13:23:32 +00:00
parent f19681fa12 3be219c79d
commit 4c29ea9cf6
921 changed files with 114863 additions and 7268 deletions
--- a/javascript/extractor/src/com/semmle/jcorn/Parser.java
+++ b/javascript/extractor/src/com/semmle/jcorn/Parser.java
@@ -3547,7 +3547,19 @@ public class Parser {

      SourceLocation loc = new SourceLocation(this.startLoc);
      Identifier local = this.parseIdent(this.type == TokenType._default);
-      Identifier exported = this.eatContextual("as") ? this.parseIdent(true) : local;
+      Identifier exported;
+      if (!this.eatContextual("as")) {
+        exported = local;
+      } else {
+        if (this.type == TokenType.string) {
+          // e.g. `export { Foo_new as "Foo::new" }`
+          Expression string = this.parseExprAtom(null);
+          String str = ((Literal)string).getStringValue();
+          exported = this.finishNode(new Identifier(loc, str));
+        } else {
+          exported = this.parseIdent(true);
+        }
+      }
      checkExport(exports, exported.getName(), exported.getLoc().getStart());
      nodes.add(this.finishNode(new ExportSpecifier(loc, local, exported)));
    }
@@ -3629,7 +3641,22 @@ public class Parser {

  protected ImportSpecifier parseImportSpecifier() {
    SourceLocation loc = new SourceLocation(this.startLoc);
-    Identifier imported = this.parseIdent(true), local;
+    Identifier imported, local;
+
+    if (this.type == TokenType.string) {
+      // Arbitrary Module Namespace Identifiers
+      // e.g. `import { "Foo::new" as Foo_new } from "./foo.wasm"`
+      Expression string = this.parseExprAtom(null);    
+      String str = ((Literal)string).getStringValue();
+      imported = this.finishNode(new Identifier(loc, str));
+      // only makes sense if there is a local identifier
+      if (!this.isContextual("as")) {
+        this.raiseRecoverable(this.start, "Unexpected string");
+      }
+    } else {
+      imported = this.parseIdent(true);
+    }
+
    if (this.eatContextual("as")) {
      local = this.parseIdent(false);
    } else {
--- a/javascript/extractor/tests/flow/input/arbitaryModuleSpecifier.js
+++ b/javascript/extractor/tests/flow/input/arbitaryModuleSpecifier.js
@@ -0,0 +1 @@
+import { "foo" } from "foo"; // syntax-error, but it shouldn't crash the extractor
--- a/javascript/extractor/tests/flow/output/trap/arbitaryModuleSpecifier.js.trap
+++ b/javascript/extractor/tests/flow/output/trap/arbitaryModuleSpecifier.js.trap
@@ -0,0 +1,143 @@
+#10000=@"/arbitaryModuleSpecifier.js;sourcefile"
+files(#10000,"/arbitaryModuleSpecifier.js")
+#10001=@"/;folder"
+folders(#10001,"/")
+containerparent(#10001,#10000)
+#10002=@"loc,{#10000},0,0,0,0"
+locations_default(#10002,#10000,0,0,0,0)
+hasLocation(#10000,#10002)
+#20000=@"global_scope"
+scopes(#20000,0)
+#20001=@"script;{#10000},1,1"
+#20002=*
+comments(#20002,0,#20001," syntax-error, but it shouldn't crash the extractor","// synt ... tractor")
+#20003=@"loc,{#10000},1,30,1,82"
+locations_default(#20003,#10000,1,30,1,82)
+hasLocation(#20002,#20003)
+#20004=*
+lines(#20004,#20001,"import { ""foo"" } from ""foo""; // syntax-error, but it shouldn't crash the extractor","
+")
+#20005=@"loc,{#10000},1,1,1,82"
+locations_default(#20005,#10000,1,1,1,82)
+hasLocation(#20004,#20005)
+numlines(#20001,1,1,1)
+#20006=*
+tokeninfo(#20006,7,#20001,0,"import")
+#20007=@"loc,{#10000},1,1,1,6"
+locations_default(#20007,#10000,1,1,1,6)
+hasLocation(#20006,#20007)
+#20008=*
+tokeninfo(#20008,8,#20001,1,"{")
+#20009=@"loc,{#10000},1,8,1,8"
+locations_default(#20009,#10000,1,8,1,8)
+hasLocation(#20008,#20009)
+#20010=*
+tokeninfo(#20010,4,#20001,2,"""foo""")
+#20011=@"loc,{#10000},1,10,1,14"
+locations_default(#20011,#10000,1,10,1,14)
+hasLocation(#20010,#20011)
+#20012=*
+tokeninfo(#20012,8,#20001,3,"}")
+#20013=@"loc,{#10000},1,16,1,16"
+locations_default(#20013,#10000,1,16,1,16)
+hasLocation(#20012,#20013)
+#20014=*
+tokeninfo(#20014,6,#20001,4,"from")
+#20015=@"loc,{#10000},1,18,1,21"
+locations_default(#20015,#10000,1,18,1,21)
+hasLocation(#20014,#20015)
+#20016=*
+tokeninfo(#20016,4,#20001,5,"""foo""")
+#20017=@"loc,{#10000},1,23,1,27"
+locations_default(#20017,#10000,1,23,1,27)
+hasLocation(#20016,#20017)
+#20018=*
+tokeninfo(#20018,8,#20001,6,";")
+#20019=@"loc,{#10000},1,28,1,28"
+locations_default(#20019,#10000,1,28,1,28)
+hasLocation(#20018,#20019)
+#20020=*
+tokeninfo(#20020,0,#20001,7,"")
+#20021=@"loc,{#10000},2,1,2,0"
+locations_default(#20021,#10000,2,1,2,0)
+hasLocation(#20020,#20021)
+next_token(#20002,#20020)
+toplevels(#20001,0)
+#20022=@"loc,{#10000},1,1,2,0"
+locations_default(#20022,#10000,1,1,2,0)
+hasLocation(#20001,#20022)
+#20023=@"module;{#10000},1,1"
+scopes(#20023,3)
+scopenodes(#20001,#20023)
+scopenesting(#20023,#20000)
+is_module(#20001)
+is_es2015_module(#20001)
+#20024=@"var;{foo};{#20023}"
+variables(#20024,"foo",#20023)
+#20025=@"local_type_name;{foo};{#20023}"
+local_type_names(#20025,"foo",#20023)
+#20026=@"local_namespace_name;{foo};{#20023}"
+local_namespace_names(#20026,"foo",#20023)
+variables(#20024,"foo",#20023)
+local_type_names(#20025,"foo",#20023)
+local_namespace_names(#20026,"foo",#20023)
+#20027=*
+stmts(#20027,27,#20001,0,"import  ...  ""foo"";")
+#20028=@"loc,{#10000},1,1,1,28"
+locations_default(#20028,#10000,1,1,1,28)
+hasLocation(#20027,#20028)
+stmt_containers(#20027,#20001)
+#20029=*
+exprs(#20029,4,#20027,-1,"""foo""")
+hasLocation(#20029,#20017)
+enclosing_stmt(#20029,#20027)
+expr_containers(#20029,#20001)
+literals("foo","""foo""",#20029)
+#20030=*
+regexpterm(#20030,14,#20029,0,"foo")
+#20031=@"loc,{#10000},1,24,1,26"
+locations_default(#20031,#10000,1,24,1,26)
+hasLocation(#20030,#20031)
+regexp_const_value(#20030,"foo")
+#20032=*
+exprs(#20032,83,#20027,0,"""foo""")
+hasLocation(#20032,#20011)
+enclosing_stmt(#20032,#20027)
+expr_containers(#20032,#20001)
+#20033=*
+exprs(#20033,0,#20032,0,"""foo""")
+hasLocation(#20033,#20011)
+enclosing_stmt(#20033,#20027)
+expr_containers(#20033,#20001)
+literals("foo","foo",#20033)
+#20034=*
+exprs(#20034,78,#20032,1,"""foo""")
+hasLocation(#20034,#20011)
+enclosing_stmt(#20034,#20027)
+expr_containers(#20034,#20001)
+literals("foo","foo",#20034)
+decl(#20034,#20024)
+typedecl(#20034,#20025)
+namespacedecl(#20034,#20026)
+#20035=*
+entry_cfg_node(#20035,#20001)
+#20036=@"loc,{#10000},1,1,1,0"
+locations_default(#20036,#10000,1,1,1,0)
+hasLocation(#20035,#20036)
+#20037=*
+exit_cfg_node(#20037,#20001)
+hasLocation(#20037,#20021)
+successor(#20027,#20037)
+successor(#20032,#20027)
+successor(#20035,#20032)
+#20038=*
+js_parse_errors(#20038,#20001,"Error: Unexpected string","import { ""foo"" } from ""foo""; // syntax-error, but it shouldn't crash the extractor
+")
+hasLocation(#20038,#20013)
+#20039=*
+lines(#20039,#20001,"import { ""foo"" } from ""foo""; // syntax-error, but it shouldn't crash the extractor","
+")
+hasLocation(#20039,#20005)
+numlines(#20001,1,0,0)
+numlines(#10000,1,1,1)
+filetype(#10000,"javascript")
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.1.2
+
+No user-facing changes.
+
 ## 1.1.1

 No user-facing changes.
--- a/javascript/ql/lib/change-notes/released/1.1.2.md
+++ b/javascript/ql/lib/change-notes/released/1.1.2.md
@@ -0,0 +1,3 @@
+## 1.1.2
+
+No user-facing changes.
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.1
+lastReleaseVersion: 1.1.2
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 1.1.2-dev
+version: 1.1.3-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
@@ -12,7 +12,7 @@ import javascript
 abstract class CredentialsNode extends DataFlow::Node {
  /**
   * Gets a description of the kind of credential this expression is used as,
-   * such as `"user name"`, `"password"`, `"key"`.
+   * such as `"user name"`, `"password"`, `"key"`, `"jwt key"`.
   */
  abstract string getCredentialsKind();
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
@@ -40,11 +40,111 @@ private module JsonWebToken {
  }

  /**
-   * The private key for a JWT as a `CredentialsNode`.
+   * The secret or PrivateKey for a JWT as a `CredentialsNode`.
   */
  private class JwtKey extends CredentialsNode {
-    JwtKey() { this = DataFlow::moduleMember("jsonwebtoken", "sign").getACall().getArgument(1) }
+    JwtKey() {
+      this =
+        API::moduleImport("jsonwebtoken").getMember(["sign", "verify"]).getParameter(1).asSink()
+    }

-    override string getCredentialsKind() { result = "key" }
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jose` library.
+ */
+private module Jose {
+  /**
+   * The asymmetric key or symmetric secret for verifying a JWT as a `CredentialsNode`.
+   */
+  private class JwtVerifyKey extends CredentialsNode {
+    JwtVerifyKey() {
+      this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jwt-simple` library.
+ */
+private module JwtSimple {
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jwt-simple").getMember("decode").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `koa-jwt` library.
+ */
+private module KoaJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this = API::moduleImport("koa-jwt").getParameter(0).getMember("secret").asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `express-jwt` library.
+ */
+private module ExpressJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this =
+        API::moduleImport("express-jwt")
+            .getMember("expressjwt")
+            .getParameter(0)
+            .getMember("secret")
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `passport-jwt` library.
+ */
+private module PassportJwt {
+  /**
+   * The secret (symmetric) or PEM-encoded public key (asymmetric) for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() {
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKey")
+            .asSink()
+      or
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKeyProvider")
+            .getParameter(2)
+            .getParameter(1)
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -255,4 +255,20 @@ module NextJS {
          .getMember("router")
          .asSource()
  }
+
+  /**
+   * Provides classes and predicates modeling the `next-auth` library.
+   */
+  private module NextAuth {
+    /**
+     * A random string used to hash tokens, sign cookies and generate cryptographic keys as a `CredentialsNode`.
+     */
+    private class SecretKey extends CredentialsNode {
+      SecretKey() {
+        this = API::moduleImport("next-auth").getParameter(0).getMember("secret").asSink()
+      }
+
+      override string getCredentialsKind() { result = "jwt key" }
+    }
+  }
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -45,3 +45,25 @@ extensible predicate typeModel(string type1, string type2, string path);
 * Holds if `path` can be substituted for a token `TypeVar[name]`.
 */
 extensible predicate typeVariableModel(string name, string path);
+
+/**
+ * Holds if the given extension tuple `madId` should pretty-print as `model`.
+ *
+ * This predicate should only be used in tests.
+ */
+predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
+  exists(string type, string path, string kind |
+    sourceModel(type, path, kind, madId) and
+    model = "Source: " + type + "; " + path + "; " + kind
+  )
+  or
+  exists(string type, string path, string kind |
+    sinkModel(type, path, kind, madId) and
+    model = "Sink: " + type + "; " + path + "; " + kind
+  )
+  or
+  exists(string type, string path, string input, string output, string kind |
+    summaryModel(type, path, input, output, kind, madId) and
+    model = "Summary: " + type + "; " + path + "; " + input + "; " + output + "; " + kind
+  )
+}
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -237,6 +237,15 @@ module ClientSideUrlRedirect {
    override predicate isXssSink() { any() }
  }

+  /**
+   * A `templateUrl` member of an AngularJS directive.
+   */
+  private class AngularJSTemplateUrlSink extends Sink {
+    AngularJSTemplateUrlSink() { this = any(AngularJS::CustomDirective d).getMember("templateUrl") }
+
+    override predicate isXssSink() { any() }
+  }
+
  private class SinkFromModel extends Sink {
    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
  }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
@@ -207,12 +207,14 @@ class PostMessageEventHandler extends Function {
 * An event parameter for a `postMessage` event handler, considered as an untrusted
 * source of data.
 */
-private class PostMessageEventParameter extends RemoteFlowSource {
+private class PostMessageEventParameter extends ClientSideRemoteFlowSource {
  PostMessageEventParameter() {
    this = DataFlow::parameterNode(any(PostMessageEventHandler pmeh).getEventParameter())
  }

  override string getSourceType() { result = "postMessage event" }
+
+  override ClientSideRemoteFlowKind getKind() { result.isMessageEvent() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
@@ -4,6 +4,7 @@
 * own.
 */

+import semmle.javascript.filters.ClassifyFiles
 import javascript
 private import semmle.javascript.security.SensitiveActions

@@ -38,5 +39,9 @@ module HardcodedCredentials {
   */
  class DefaultCredentialsSink extends Sink instanceof CredentialsNode {
    override string getKind() { result = super.getCredentialsKind() }
+
+    DefaultCredentialsSink() {
+      not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
+    }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
@@ -35,5 +35,43 @@ class Configuration extends DataFlow::Configuration {
      trg = bufferFrom and
      src = bufferFrom.getArgument(0)
    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n | n = API::moduleImport("jose").getMember("importJWK") |
+      src = n.getParameter(0).getMember(["x", "y", "n"]).asSink() and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(DataFlow::CallNode n |
+      n = DataFlow::globalVarRef("TextEncoder").getAnInstantiation().getAMemberCall("encode")
+    |
+      src = n.getArgument(0) and
+      trg = n
+    )
+    or
+    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
+      src = n.getArgument(0) and
+      trg = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember("base64url").getMember(["decode", "encode"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getACall()
+    )
  }
 }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -40,7 +40,9 @@ import Cached
 * A type of remote flow source that is specific to the browser environment.
 */
 class ClientSideRemoteFlowKind extends string {
-  ClientSideRemoteFlowKind() { this = ["query", "fragment", "path", "url", "name"] }
+  ClientSideRemoteFlowKind() {
+    this = ["query", "fragment", "path", "url", "name", "message-event"]
+  }

  /**
   * Holds if this is the `query` kind, describing sources derived from the query parameters of the browser URL,
@@ -77,6 +79,12 @@ class ClientSideRemoteFlowKind extends string {

  /** Holds if this is the `name` kind, describing sources derived from the window name, such as `window.name`. */
  predicate isWindowName() { this = "name" }
+
+  /**
+   * Holds if this is the `message-event` kind, describing sources derived from cross-window message passing,
+   * such as `event` in `window.onmessage = event => {...}`.
+   */
+  predicate isMessageEvent() { this = "message-event" }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -653,10 +653,11 @@ module TaintedPath {
  }

  /**
-   * A `templateUrl` member of an AngularJS directive.
+   * DEPRECATED. This is no longer seen as a path-injection sink. It is tentatively handled
+   * by the client-side URL redirection query for now.
   */
-  class AngularJSTemplateUrlSink extends Sink, DataFlow::ValueNode {
-    AngularJSTemplateUrlSink() { this = any(AngularJS::CustomDirective d).getMember("templateUrl") }
+  deprecated class AngularJSTemplateUrlSink extends DataFlow::ValueNode instanceof Sink {
+    AngularJSTemplateUrlSink() { none() }
  }

  /**
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.1.1
+
+No user-facing changes.
+
 ## 1.1.0

 ### New Queries
--- a/javascript/ql/src/change-notes/2024-08-16-post-message-source-client-side.md
+++ b/javascript/ql/src/change-notes/2024-08-16-post-message-source-client-side.md
@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Message events in the browser are now properly classified as client-side taint sources. Previously they were
+  incorrectly classified as server-side taint sources, which resulted in some alerts being reported by
+  the wrong query, such as server-side URL redirection instead of client-side URL redirection.
--- a/javascript/ql/src/change-notes/released/1.1.1.md
+++ b/javascript/ql/src/change-notes/released/1.1.1.md
@@ -0,0 +1,3 @@
+## 1.1.1
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.0
+lastReleaseVersion: 1.1.1
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.1.1-dev
+version: 1.1.2-dev
 groups:
  - javascript
  - queries
--- a/javascript/ql/test/library-tests/Modules/arbitarySpecifier.js
+++ b/javascript/ql/test/library-tests/Modules/arbitarySpecifier.js
@@ -0,0 +1,5 @@
+import { "Foo::new" as Foo_new } from "./foo.wasm"
+
+const foo = Foo_new()
+
+export { Foo_new as "Foo::new" }
--- a/javascript/ql/test/library-tests/Modules/tests.expected
+++ b/javascript/ql/test/library-tests/Modules/tests.expected
@@ -3,6 +3,7 @@ test_BulkReExportDeclarations
 test_ExportDeclarations
 | a.js:1:1:3:1 | export  ... n 23;\\n} |
 | a.js:5:1:5:32 | export  ...  } = o; |
+| arbitarySpecifier.js:5:1:5:32 | export  ... :new" } |
 | b.js:5:1:5:18 | export { f as g }; |
 | b.js:7:1:7:21 | export  ...  './a'; |
 | d.js:4:1:4:20 | export * from 'm/c'; |
@@ -18,6 +19,7 @@ test_ExportDefaultDeclarations
 | a.js:1:1:3:1 | export  ... n 23;\\n} |
 | es2015_require.js:3:1:3:25 | export  ... ss C {} |
 test_ExportSpecifiers
+| arbitarySpecifier.js:5:10:5:30 | Foo_new ... o::new" | arbitarySpecifier.js:5:10:5:16 | Foo_new | arbitarySpecifier.js:5:10:5:30 | Foo_new ... o::new" |
 | b.js:5:10:5:15 | f as g | b.js:5:10:5:10 | f | b.js:5:15:5:15 | g |
 | e.js:2:10:2:10 | x | e.js:2:10:2:10 | x | e.js:2:10:2:10 | x |
 | e.js:2:13:2:13 | y | e.js:2:13:2:13 | y | e.js:2:13:2:13 | y |
@@ -41,6 +43,7 @@ test_ImportNamespaceSpecifier
 | exports.js:1:8:1:17 | * as dummy |
 | m/c.js:1:8:1:13 | * as b |
 test_ImportSpecifiers
+| arbitarySpecifier.js:1:10:1:30 | "Foo::n ... Foo_new | arbitarySpecifier.js:1:24:1:30 | Foo_new |
 | b.js:1:8:1:8 | f | b.js:1:8:1:8 | f |
 | d.js:1:10:1:21 | default as g | d.js:1:21:1:21 | g |
 | d.js:1:24:1:29 | x as y | d.js:1:29:1:29 | y |
@@ -55,6 +58,7 @@ test_ImportSpecifiers
 | tst.html:5:10:5:10 | f | tst.html:5:10:5:10 | f |
 | unresolved.js:1:8:1:8 | f | unresolved.js:1:8:1:8 | f |
 test_Imports
+| arbitarySpecifier.js:1:1:1:50 | import  ... o.wasm" | arbitarySpecifier.js:1:39:1:50 | "./foo.wasm" | 1 |
 | b.js:1:1:1:20 | import f from './a'; | b.js:1:15:1:19 | './a' | 1 |
 | d.js:1:1:1:43 | import  ...  './a'; | d.js:1:38:1:42 | './a' | 2 |
 | d.js:2:1:2:13 | import './b'; | d.js:2:8:2:12 | './b' | 0 |
@@ -72,6 +76,7 @@ test_Module_exports
 | a.js:1:1:5:32 | <toplevel> | default | a.js:1:16:3:1 | functio ... n 23;\\n} |
 | a.js:1:1:5:32 | <toplevel> | x | a.js:5:18:5:20 | f() |
 | a.js:1:1:5:32 | <toplevel> | y | a.js:5:25:5:25 | y |
+| arbitarySpecifier.js:1:1:5:32 | <toplevel> | Foo::new | arbitarySpecifier.js:5:10:5:16 | Foo_new |
 | b.js:1:1:8:0 | <toplevel> | f2 | a.js:1:16:3:1 | functio ... n 23;\\n} |
 | b.js:1:1:8:0 | <toplevel> | g | b.js:5:10:5:10 | f |
 | e.js:1:1:4:0 | <toplevel> | g | a.js:1:16:3:1 | functio ... n 23;\\n} |
@@ -84,6 +89,7 @@ test_Module_exports
 | reExportNamespace.js:1:1:2:0 | <toplevel> | ns | reExportNamespace.js:1:8:1:14 | * as ns |
 | tst.html:4:23:8:0 | <toplevel> | y | tst.html:7:20:7:21 | 42 |
 test_NamedImportSpecifier
+| arbitarySpecifier.js:1:10:1:30 | "Foo::n ... Foo_new |
 | d.js:1:10:1:21 | default as g |
 | d.js:1:24:1:29 | x as y |
 | g.ts:1:9:1:11 | foo |
@@ -111,6 +117,7 @@ test_getAnImportedModule
 | library-tests/Modules/m/c.js | library-tests/Modules/b.js |
 | library-tests/Modules/reExportNamespaceClient.js | library-tests/Modules/reExportNamespace.js |
 test_getExportedName
+| arbitarySpecifier.js:5:10:5:30 | Foo_new ... o::new" | Foo::new |
 | b.js:5:10:5:15 | f as g | g |
 | b.js:7:8:7:9 | f2 | f2 |
 | e.js:2:10:2:10 | x | x |
@@ -119,6 +126,7 @@ test_getExportedName
 | m/c.js:5:10:5:15 | g as h | h |
 | reExportNamespace.js:1:8:1:14 | * as ns | ns |
 test_getImportedName
+| arbitarySpecifier.js:1:10:1:30 | "Foo::n ... Foo_new | Foo::new |
 | b.js:1:8:1:8 | f | default |
 | d.js:1:10:1:21 | default as g | default |
 | d.js:1:24:1:29 | x as y | x |
@@ -131,6 +139,7 @@ test_getImportedName
 | tst.html:5:10:5:10 | f | default |
 | unresolved.js:1:8:1:8 | f | default |
 test_getLocalName
+| arbitarySpecifier.js:5:10:5:30 | Foo_new ... o::new" | Foo_new |
 | b.js:5:10:5:15 | f as g | f |
 | b.js:7:8:7:9 | f2 | default |
 | e.js:2:10:2:10 | x | x |
@@ -141,6 +150,7 @@ test_getSourceNode
 | a.js:1:1:3:1 | export  ... n 23;\\n} | default | a.js:1:16:3:1 | functio ... n 23;\\n} |
 | a.js:5:1:5:32 | export  ...  } = o; | x | a.js:5:18:5:20 | f() |
 | a.js:5:1:5:32 | export  ...  } = o; | y | a.js:5:25:5:25 | y |
+| arbitarySpecifier.js:5:1:5:32 | export  ... :new" } | Foo::new | arbitarySpecifier.js:5:10:5:16 | Foo_new |
 | b.js:5:1:5:18 | export { f as g }; | g | b.js:5:10:5:10 | f |
 | b.js:7:1:7:21 | export  ...  './a'; | f2 | a.js:1:16:3:1 | functio ... n 23;\\n} |
 | e.js:2:1:2:16 | export { x, y }; | x | e.js:2:10:2:10 | x |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -60,18 +60,6 @@ var server = http.createServer(function(req, res) {
  res.write(fs.readFileSync(pathModule.toNamespacedPath(path)));
 });

-angular.module('myApp', [])
-    .directive('myCustomer', function() {
-        return {
-            templateUrl: "SAFE" // OK
-        }
-    })
-    .directive('myCustomer', function() {
-        return {
-            templateUrl: Cookie.get("unsafe") // NOT OK
-        }
-    })
-
 var server = http.createServer(function(req, res) {
    // tests for a few uri-libraries
    res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // NOT OK
@@ -92,10 +80,6 @@ var server = http.createServer(function(req, res) {

 })();

-addEventListener('message', (ev) => {
-  Cookie.set("unsafe", ev.data);
-});
-
 var server = http.createServer(function(req, res) {
 	let path = url.parse(req.url, true).query.path;

@@ -110,25 +94,25 @@ var server = http.createServer(function(req, res) {

 var server = http.createServer(function(req, res) {
  let path = url.parse(req.url, true).query.path;
-  
+
  if (path) { // sanitization
    path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
    path = path.replace(/\.\./g, ''); // remove all ".."
  }
-  
+
  res.write(fs.readFileSync(path));  // OK. Is sanitized above.
 });

 var server = http.createServer(function(req, res) {
  let path = url.parse(req.url, true).query.path;
-  
+
  if (!path) {
-    
+
  } else { // sanitization
 	  path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
    path = path.replace(/\.\./g, ''); // remove all ".."
  }
-  
+
  res.write(fs.readFileSync(path));  // OK. Is sanitized above.
 });

@@ -142,15 +126,15 @@ var server = http.createServer(function(req, res) {
  let path = url.parse(req.url, true).query.path;

  fs.readFileSync(path); // NOT OK
-  
+
  var split = path.split("/");
-  
+
  fs.readFileSync(split.join("/")); // NOT OK

  fs.readFileSync(prefix + split[split.length - 1]) // OK

  fs.readFileSync(split[x]) // NOT OK
-  fs.readFileSync(prefix + split[x]) // NOT OK 
+  fs.readFileSync(prefix + split[x]) // NOT OK

  var concatted = prefix.concat(split);
  fs.readFileSync(concatted.join("/")); // NOT OK
@@ -158,13 +142,13 @@ var server = http.createServer(function(req, res) {
  var concatted2 = split.concat(prefix);
  fs.readFileSync(concatted2.join("/")); // NOT OK

-  fs.readFileSync(split.pop()); // NOT OK 
+  fs.readFileSync(split.pop()); // NOT OK

 });

 var server = http.createServer(function(req, res) {
  let path = url.parse(req.url, true).query.path;
-  
+
  // Removal of forward-slash or dots.
  res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); // OK.
  res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // NOT OK
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -86,6 +86,12 @@ nodes
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
+| angular-tempate-url.js:13:30:13:31 | ev |
+| angular-tempate-url.js:13:30:13:31 | ev |
+| angular-tempate-url.js:14:26:14:27 | ev |
+| angular-tempate-url.js:14:26:14:32 | ev.data |
 | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:47:7:69 | classNa ... w.name) |
@@ -1275,6 +1281,11 @@ edges
 | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url |
 | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
+| angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
+| angular-tempate-url.js:14:26:14:27 | ev | angular-tempate-url.js:14:26:14:32 | ev.data |
+| angular-tempate-url.js:14:26:14:32 | ev.data | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
+| angular-tempate-url.js:14:26:14:32 | ev.data | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
 | classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:58:7:68 | window.name | classnames.js:7:47:7:69 | classNa ... w.name) |
@@ -2407,6 +2418,7 @@ edges
 | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:38:44:38:58 | this.router.url | user-provided value |
 | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:40:45:40:59 | this.router.url | user-provided value |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | user-provided value |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | Cross-site scripting vulnerability due to $@. | angular-tempate-url.js:13:30:13:31 | ev | user-provided value |
 | classnames.js:7:31:7:84 | `<span  ... <span>` | classnames.js:7:58:7:68 | window.name | classnames.js:7:31:7:84 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:7:58:7:68 | window.name | user-provided value |
 | classnames.js:8:31:8:85 | `<span  ... <span>` | classnames.js:8:59:8:69 | window.name | classnames.js:8:31:8:85 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:8:59:8:69 | window.name | user-provided value |
 | classnames.js:9:31:9:85 | `<span  ... <span>` | classnames.js:9:59:9:69 | window.name | classnames.js:9:31:9:85 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:9:59:9:69 | window.name | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -86,6 +86,12 @@ nodes
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
+| angular-tempate-url.js:13:30:13:31 | ev |
+| angular-tempate-url.js:13:30:13:31 | ev |
+| angular-tempate-url.js:14:26:14:27 | ev |
+| angular-tempate-url.js:14:26:14:32 | ev.data |
 | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:47:7:69 | classNa ... w.name) |
@@ -1325,6 +1331,11 @@ edges
 | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url |
 | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
+| angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
+| angular-tempate-url.js:14:26:14:27 | ev | angular-tempate-url.js:14:26:14:32 | ev.data |
+| angular-tempate-url.js:14:26:14:32 | ev.data | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
+| angular-tempate-url.js:14:26:14:32 | ev.data | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
 | classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span  ... <span>` |
 | classnames.js:7:58:7:68 | window.name | classnames.js:7:47:7:69 | classNa ... w.name) |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js
@@ -0,0 +1,15 @@
+angular.module('myApp', [])
+    .directive('myCustomer', function() {
+        return {
+            templateUrl: "SAFE" // OK
+        }
+    })
+    .directive('myCustomer', function() {
+        return {
+            templateUrl: Cookie.get("unsafe") // NOT OK
+        }
+    });
+
+addEventListener('message', (ev) => {
+    Cookie.set("unsafe", ev.data);
+});
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
@@ -64,15 +64,13 @@ nodes
 | RegExpInjection.js:93:20:93:31 | process.argv |
 | RegExpInjection.js:93:20:93:31 | process.argv |
 | RegExpInjection.js:93:20:93:34 | process.argv[1] |
-| tst.js:1:46:1:46 | e |
-| tst.js:1:46:1:46 | e |
-| tst.js:2:9:2:21 | data |
-| tst.js:2:16:2:16 | e |
-| tst.js:2:16:2:21 | e.data |
-| tst.js:3:16:3:35 | "^"+ data.name + "$" |
-| tst.js:3:16:3:35 | "^"+ data.name + "$" |
-| tst.js:3:21:3:24 | data |
-| tst.js:3:21:3:29 | data.name |
+| tst.js:5:9:5:29 | data |
+| tst.js:5:16:5:29 | req.query.data |
+| tst.js:5:16:5:29 | req.query.data |
+| tst.js:6:16:6:35 | "^"+ data.name + "$" |
+| tst.js:6:16:6:35 | "^"+ data.name + "$" |
+| tst.js:6:21:6:24 | data |
+| tst.js:6:21:6:29 | data.name |
 edges
 | RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:8:31:8:33 | key |
 | RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:19:19:19:21 | key |
@@ -135,14 +133,12 @@ edges
 | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:20:93:34 | process.argv[1] |
 | RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
 | RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
-| tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
-| tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
-| tst.js:2:9:2:21 | data | tst.js:3:21:3:24 | data |
-| tst.js:2:16:2:16 | e | tst.js:2:16:2:21 | e.data |
-| tst.js:2:16:2:21 | e.data | tst.js:2:9:2:21 | data |
-| tst.js:3:21:3:24 | data | tst.js:3:21:3:29 | data.name |
-| tst.js:3:21:3:29 | data.name | tst.js:3:16:3:35 | "^"+ data.name + "$" |
-| tst.js:3:21:3:29 | data.name | tst.js:3:16:3:35 | "^"+ data.name + "$" |
+| tst.js:5:9:5:29 | data | tst.js:6:21:6:24 | data |
+| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
+| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
+| tst.js:6:21:6:24 | data | tst.js:6:21:6:29 | data.name |
+| tst.js:6:21:6:29 | data.name | tst.js:6:16:6:35 | "^"+ data.name + "$" |
+| tst.js:6:21:6:29 | data.name | tst.js:6:16:6:35 | "^"+ data.name + "$" |
 #select
 | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
 | RegExpInjection.js:19:14:19:22 | wrap(key) | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:19:14:19:22 | wrap(key) | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
@@ -161,4 +157,4 @@ edges
 | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
 | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
 | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
-| tst.js:3:16:3:35 | "^"+ data.name + "$" | tst.js:1:46:1:46 | e | tst.js:3:16:3:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:1:46:1:46 | e | user-provided value |
+| tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-730/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/tst.js
@@ -1,12 +1,7 @@
-window.addEventListener("message", function (e) {
-    let data = e.data;
+const express = require('express');
+const app = express();
+
+app.get('/foo', (req, res) => {
+    let data = req.query.data;
    new RegExp("^"+ data.name + "$", "i"); // NOT OK
 });
-
-const SOMEONE_I_TRUST = "myself";
-window.addEventListener("message", function (e) {
-    if (e.origin === SOMEONE_I_TRUST) {
-        let data = e.data;
-        new RegExp("^"+ data.name + "$", "i"); // OK
-    }
-});
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -213,6 +213,11 @@ nodes
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
@@ -283,6 +288,62 @@ nodes
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:52:317:61 | privateKey |
+| HardcodedCredentials.js:319:11:321:29 | spki |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:322:9:322:56 | publicKey |
+| HardcodedCredentials.js:322:21:322:56 | await j ... RS256') |
+| HardcodedCredentials.js:322:43:322:46 | spki |
+| HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' |
+| HardcodedCredentials.js:331:5:331:46 | publicKey |
+| HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) |
+| HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:360:33:360:41 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:396:9:396:43 | secretKey |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:414:9:414:43 | secretKey |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:416:27:416:35 | secretKey |
+| HardcodedCredentials.js:416:27:416:35 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -384,10 +445,15 @@ edges
 | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
 | HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
 | HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
+| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
@@ -415,6 +481,50 @@ edges
 | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
 | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:316:9:316:44 | privateKey | HardcodedCredentials.js:317:52:317:61 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:319:11:321:29 | spki | HardcodedCredentials.js:322:43:322:46 | spki |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:319:11:321:29 | spki |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:319:11:321:29 | spki |
+| HardcodedCredentials.js:322:9:322:56 | publicKey | HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:322:9:322:56 | publicKey | HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:322:21:322:56 | await j ... RS256') | HardcodedCredentials.js:322:9:322:56 | publicKey |
+| HardcodedCredentials.js:322:43:322:46 | spki | HardcodedCredentials.js:322:21:322:56 | await j ... RS256') |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) |
+| HardcodedCredentials.js:331:5:331:46 | publicKey | HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:331:5:331:46 | publicKey | HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) | HardcodedCredentials.js:331:5:331:46 | publicKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey | HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey | HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey | HardcodedCredentials.js:360:33:360:41 | secretKey |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:9:344:43 | secretKey |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:9:344:43 | secretKey |
+| HardcodedCredentials.js:360:33:360:41 | secretKey | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:360:33:360:41 | secretKey | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:9:375:43 | secretKey |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:9:375:43 | secretKey |
+| HardcodedCredentials.js:396:9:396:43 | secretKey | HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:396:9:396:43 | secretKey | HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:9:396:43 | secretKey |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:9:396:43 | secretKey |
+| HardcodedCredentials.js:414:9:414:43 | secretKey | HardcodedCredentials.js:416:27:416:35 | secretKey |
+| HardcodedCredentials.js:414:9:414:43 | secretKey | HardcodedCredentials.js:416:27:416:35 | secretKey |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:9:414:43 | secretKey |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:9:414:43 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -477,7 +587,20 @@ edges
 | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization header |
-| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
+| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | jwt key |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:249:23:249:31 | publicKey | The hard-coded value "myHardCodedPublicKey" is used as $@. | HardcodedCredentials.js:249:23:249:31 | publicKey | jwt key |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | authorization header |
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | authorization header |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:309:34:309:43 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:309:34:309:43 | privateKey | jwt key |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | jwt key |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:323:27:323:35 | publicKey | The hard-coded value "-----BEGIN PUBLIC KEY-----\n    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9...\n    -----END PUBLIC KEY-----" is used as $@. | HardcodedCredentials.js:323:27:323:35 | publicKey | jwt key |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:335:31:335:39 | publicKey | The hard-coded value "whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6f..." is used as $@. | HardcodedCredentials.js:335:31:335:39 | publicKey | jwt key |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:349:21:349:29 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:349:21:349:29 | secretKey | jwt key |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") | jwt key |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:378:24:378:32 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:378:24:378:32 | secretKey | jwt key |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:385:31:385:39 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:385:31:385:39 | secretKey | jwt key |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:399:17:399:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:399:17:399:25 | secretKey | jwt key |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:416:27:416:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:416:27:416:35 | secretKey | jwt key |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | password |
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -300,4 +300,118 @@
    require('crypto').createHmac('sha256', 'SampleToken'); // OK
    require('crypto').createHmac('sha256', 'MyPassword'); // OK
    require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
+})();
+
+(function () {
+    const jwt_simple = require("jwt-simple");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jwt_simple.decode(UserToken, privateKey); // NOT OK
+})();
+
+
+(async function () {
+    const jose = require("jose");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jose.jwtVerify(token, new TextEncoder().encode(privateKey)) // NOT OK
+
+    const spki = `-----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9...
+    -----END PUBLIC KEY-----`
+    let publicKey = await jose.importSPKI(spki, 'RS256')
+    jose.jwtVerify(token, publicKey) // NOT OK
+
+    const alg = 'RS256'
+    const jwk = {
+        kty: 'RSA',
+        n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6f...',
+        e: 'AQAB',
+    }
+    publicKey = await jose.importJWK(jwk, alg)
+    const jwt =
+        'eyJhbGciOiJSUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2NDg4LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.gXrPZ3yM_60dMXGE69dusbpzYASNA-XIOwsb5D5xYnSxyj6_D6OR_uR_1vqhUm4AxZxcrH1_-XJAve9HCw8az_QzHcN-nETt-v6stCsYrn6Bv1YOc-mSJRZ8ll57KVqLbCIbjKwerNX5r2_Qg2TwmJzQdRs-AQDhy-s_DlJd8ql6wR4n-kDZpar-pwIvz4fFIN0Fj57SXpAbLrV6Eo4Byzl0xFD8qEYEpBwjrMMfxCZXTlAVhAq6KCoGlDTwWuExps342-0UErEtyIqDnDGcrfNWiUsoo8j-29IpKd-w9-C388u-ChCxoHz--H8WmMSZzx3zTXsZ5lXLZ9IKfanDKg'
+
+    await jose.jwtVerify(jwt, publicKey, { // NOT OK
+        issuer: 'urn:example:issuer',
+        audience: 'urn:example:audience',
+    })
+})();
+
+(function () {
+    const expressjwt = require("express-jwt");
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: secretKey, algorithms: ["HS256"] // NOT OK
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: Buffer.from(secretKey, "base64"), // NOT OK
+            algorithms: ["RS256"],
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+})();
+
+(function () {
+    const JwtStrategy = require('passport-jwt').Strategy;
+    const passport = require('passport')
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    const opts = {}
+    opts.secretOrKey = secretKey; // NOT OK
+    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+
+    passport.use(new JwtStrategy({
+        secretOrKeyProvider: function (request, rawJwtToken, done) {
+            return done(null, secretKey) // NOT OK
+        }
+    }, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+})();
+
+(function () {
+    import NextAuth from "next-auth"
+    import AppleProvider from "next-auth/providers/apple"
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    NextAuth({
+        secret: secretKey, // NOT OK
+        providers: [
+            AppleProvider({
+                clientId: process.env.APPLE_ID,
+                clientSecret: process.env.APPLE_SECRET,
+            }),
+        ],
+    })
+})();
+
+(function () {
+    const Koa = require('koa');
+    const jwt = require('koa-jwt');
+    const app = new Koa();
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.use(jwt({ secret: secretKey })); // NOT OK
 })();
--- a/javascript/ql/test/query-tests/Security/CWE-798/tests/HardcodedCredentialsDemo.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/tests/HardcodedCredentialsDemo.js
@@ -0,0 +1,33 @@
+(function () {
+    const pg = require('pg');
+
+    const client = new pg.Client({
+        user: 'dbuser',  // OK
+        host: 'database.server.com',
+        database: 'mydb',
+        password: 'hgfedcba',  // OK
+        port: 3211,
+    });
+    client.connect();
+})();
+
+(function () {
+    const JwtStrategy = require('passport-jwt').Strategy;
+    const passport = require('passport')
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    const opts = {}
+    opts.secretOrKey = secretKey; // NOT OK
+    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+
+    passport.use(new JwtStrategy({
+        secretOrKeyProvider: function (request, rawJwtToken, done) {
+            return done(null, secretKey) // NOT OK
+        }
+    }, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+})();
				`@@ -0,0 +1 @@`
				`import { "foo" } from "foo"; // syntax-error, but it shouldn't crash the extractor`