adjust comments to reflect that tainted-path have no array-steps

2026-05-01 03:35:13 +02:00 · 2020-06-04 16:15:37 +02:00
parent ed4e1bbbdf
commit 5ce2987cb2
2 changed files with 2 additions and 4 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -1,2 +0,0 @@
-| query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js:10 | expected an alert, but found none | BAD: taint is preserved |
-| query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js:14 | expected an alert, but found none | BAD: taint is preserved |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js
@@ -7,11 +7,11 @@ var fs = require('fs'),

 var server = http.createServer(function(req, res) {
  let path = url.parse(req.url, true).query.path;
-  res.write(fs.readFileSync(['public', path].join('/'))); // BAD: taint is preserved
+  res.write(fs.readFileSync(['public', path].join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY]

  let parts = ['public', path];
  parts = parts.map(x => x.toLowerCase());
-  res.write(fs.readFileSync(parts.join('/'))); // BAD: taint is preserved
+  res.write(fs.readFileSync(parts.join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY]
 });

 server.listen();