hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Update expectations with new sources

Browse Source
This commit is contained in:
Asger Feldthaus
2021-03-11 21:21:18 +00:00
parent a9383da2c3
commit 710cca5395
7 changed files with 156 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -128,8 +128,7 @@ nodes
| dates.js:18:59:18:63 | taint |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:56 | location |
| event-handler-receiver.js:2:49:2:56 | location |
| event-handler-receiver.js:2:49:2:61 | location.href |
| event-handler-receiver.js:2:49:2:61 | location.href |
| express.js:7:15:7:33 | req.param("wobble") |
| express.js:7:15:7:33 | req.param("wobble") |
@@ -791,8 +790,8 @@ edges
| dates.js:18:42:18:64 | datefor ... taint) | dates.js:18:31:18:66 | `Time i ... aint)}` |
| dates.js:18:42:18:64 | datefor ... taint) | dates.js:18:31:18:66 | `Time i ... aint)}` |
| dates.js:18:59:18:63 | taint | dates.js:18:42:18:64 | datefor ... taint) |
| event-handler-receiver.js:2:49:2:56 | location | event-handler-receiver.js:2:49:2:61 | location.href |
| event-handler-receiver.js:2:49:2:56 | location | event-handler-receiver.js:2:49:2:61 | location.href |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") |

215
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -13,60 +13,46 @@ nodes
| NoSQLCodeInjection.js:22:36:22:43 | req.body |
| NoSQLCodeInjection.js:22:36:22:43 | req.body |
| NoSQLCodeInjection.js:22:36:22:48 | req.body.name |
| angularjs.js:10:22:10:29 | location |
| angularjs.js:10:22:10:29 | location |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location |
| angularjs.js:13:23:13:30 | location |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location |
| angularjs.js:16:28:16:35 | location |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location |
| angularjs.js:19:22:19:29 | location |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location |
| angularjs.js:22:27:22:34 | location |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location |
| angularjs.js:25:23:25:30 | location |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location |
| angularjs.js:28:33:28:40 | location |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location |
| angularjs.js:31:28:31:35 | location |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location |
| angularjs.js:34:18:34:25 | location |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location |
| angularjs.js:40:18:40:25 | location |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location |
| angularjs.js:44:17:44:24 | location |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location |
| angularjs.js:47:16:47:23 | location |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location |
| angularjs.js:50:22:50:29 | location |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:46 | location.search |
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
@@ -118,8 +104,7 @@ nodes
| react-native.js:8:32:8:38 | tainted |
| react-native.js:10:23:10:29 | tainted |
| react-native.js:10:23:10:29 | tainted |
| react.js:10:56:10:72 | document.location |
| react.js:10:56:10:72 | document.location |
| react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:77 | documen ... on.hash |
| template-sinks.js:12:9:12:31 | tainted |
@@ -141,36 +126,29 @@ nodes
| template-sinks.js:20:27:20:33 | tainted |
| template-sinks.js:21:21:21:27 | tainted |
| template-sinks.js:21:21:21:27 | tainted |
| tst.js:2:6:2:22 | document.location |
| tst.js:2:6:2:22 | document.location |
| tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location |
| tst.js:5:12:5:28 | document.location |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location |
| tst.js:14:10:14:26 | document.location |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location |
| tst.js:17:21:17:37 | document.location |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location |
| tst.js:20:30:20:46 | document.location |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:11:23:27 | document.location |
| tst.js:23:11:23:27 | document.location |
| tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:26:26:26:33 | location |
| tst.js:26:26:26:33 | location |
| tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:53 | locatio ... ring(1) |
@@ -187,62 +165,20 @@ edges
| NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name |
| NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
| NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
@@ -279,10 +215,7 @@ edges
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash |
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:14:17:14:23 | tainted |
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:14:17:14:23 | tainted |
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:15:16:15:22 | tainted |
@@ -301,53 +234,43 @@ edges
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:21:21:21:27 | tainted |
| template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:12:9:12:31 | tainted |
| template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:12:9:12:31 | tainted |
| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
#select
| NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:18:24:18:31 | req.body | User-provided value |
| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:19:36:19:43 | req.body | User-provided value |
| NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:22:36:22:43 | req.body | User-provided value |
| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:29 | location | User-provided value |
| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:30 | location | User-provided value |
| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:16:28:16:35 | location | User-provided value |
| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:19:22:19:29 | location | User-provided value |
| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:22:27:22:34 | location | User-provided value |
| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:25:23:25:30 | location | User-provided value |
| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:28:33:28:40 | location | User-provided value |
| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:31:28:31:35 | location | User-provided value |
| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:34:18:34:25 | location | User-provided value |
| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:40:18:40:25 | location | User-provided value |
| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:44:17:44:24 | location | User-provided value |
| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:23 | location | User-provided value |
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value |
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value |
| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:36 | location.search | User-provided value |
| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:37 | location.search | User-provided value |
| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:16:28:16:42 | location.search | User-provided value |
| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:19:22:19:36 | location.search | User-provided value |
| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:22:27:22:41 | location.search | User-provided value |
| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:25:23:25:37 | location.search | User-provided value |
| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:28:33:28:47 | location.search | User-provided value |
| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:31:28:31:42 | location.search | User-provided value |
| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:34:18:34:32 | location.search | User-provided value |
| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:40:18:40:32 | location.search | User-provided value |
| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:44:17:44:31 | location.search | User-provided value |
| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:30 | location.search | User-provided value |
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:36 | location.search | User-provided value |
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:46 | location.search | User-provided value |
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | $@ flows to here and is interpreted as code. | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | User-provided value |
| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` | bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` | $@ flows to here and is interpreted as code. | bad-code-sanitization.js:56:16:56:23 | req.body | User-provided value |
| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
@@ -360,7 +283,7 @@ edges
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | $@ flows to here and is interpreted as code. | module.js:9:16:9:29 | req.query.code | User-provided value |
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | $@ flows to here and is interpreted as code. | react-native.js:7:17:7:33 | req.param("code") | User-provided value |
| react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | $@ flows to here and is interpreted as code. | react-native.js:7:17:7:33 | req.param("code") | User-provided value |
| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash | $@ flows to here and is interpreted as code. | react.js:10:56:10:72 | document.location | User-provided value |
| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | $@ flows to here and is interpreted as code. | react.js:10:56:10:77 | documen ... on.hash | User-provided value |
| template-sinks.js:14:17:14:23 | tainted | template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:14:17:14:23 | tainted | $@ flows to here and is interpreted as a template, which may contain code. | template-sinks.js:12:19:12:31 | req.query.foo | User-provided value |
| template-sinks.js:15:16:15:22 | tainted | template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:15:16:15:22 | tainted | $@ flows to here and is interpreted as a template, which may contain code. | template-sinks.js:12:19:12:31 | req.query.foo | User-provided value |
| template-sinks.js:16:18:16:24 | tainted | template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:16:18:16:24 | tainted | $@ flows to here and is interpreted as a template, which may contain code. | template-sinks.js:12:19:12:31 | req.query.foo | User-provided value |
@@ -369,10 +292,10 @@ edges
| template-sinks.js:19:16:19:22 | tainted | template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:19:16:19:22 | tainted | $@ flows to here and is interpreted as a template, which may contain code. | template-sinks.js:12:19:12:31 | req.query.foo | User-provided value |
| template-sinks.js:20:27:20:33 | tainted | template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:20:27:20:33 | tainted | $@ flows to here and is interpreted as a template, which may contain code. | template-sinks.js:12:19:12:31 | req.query.foo | User-provided value |
| template-sinks.js:21:21:21:27 | tainted | template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:21:21:21:27 | tainted | $@ flows to here and is interpreted as a template, which may contain code. | template-sinks.js:12:19:12:31 | req.query.foo | User-provided value |
| tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:83 | documen ... t=")+8) | $@ flows to here and is interpreted as code. | tst.js:2:6:2:22 | document.location | User-provided value |
| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:5:12:5:28 | document.location | User-provided value |
| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:26 | document.location | tst.js:14:10:14:74 | documen ... , "$1") | $@ flows to here and is interpreted as code. | tst.js:14:10:14:26 | document.location | User-provided value |
| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:17:21:17:37 | document.location | User-provided value |
| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:46 | document.location | User-provided value |
| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:27 | document.location | tst.js:23:6:23:46 | atob(do ... ing(1)) | $@ flows to here and is interpreted as code. | tst.js:23:11:23:27 | document.location | User-provided value |
| tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:33 | location | tst.js:26:26:26:53 | locatio ... ring(1) | $@ flows to here and is interpreted as code. | tst.js:26:26:26:33 | location | User-provided value |
| tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | $@ flows to here and is interpreted as code. | tst.js:2:6:2:27 | documen ... on.href | User-provided value |
| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:5:12:5:33 | documen ... on.hash | User-provided value |
| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | $@ flows to here and is interpreted as code. | tst.js:14:10:14:33 | documen ... .search | User-provided value |
| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:17:21:17:42 | documen ... on.hash | User-provided value |
| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:51 | documen ... on.hash | User-provided value |
| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:6:23:46 | atob(do ... ing(1)) | $@ flows to here and is interpreted as code. | tst.js:23:11:23:32 | documen ... on.hash | User-provided value |
| tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | $@ flows to here and is interpreted as code. | tst.js:26:26:26:40 | location.search | User-provided value |

171
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -13,60 +13,46 @@ nodes
| NoSQLCodeInjection.js:22:36:22:43 | req.body |
| NoSQLCodeInjection.js:22:36:22:43 | req.body |
| NoSQLCodeInjection.js:22:36:22:48 | req.body.name |
| angularjs.js:10:22:10:29 | location |
| angularjs.js:10:22:10:29 | location |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location |
| angularjs.js:13:23:13:30 | location |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location |
| angularjs.js:16:28:16:35 | location |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location |
| angularjs.js:19:22:19:29 | location |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location |
| angularjs.js:22:27:22:34 | location |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location |
| angularjs.js:25:23:25:30 | location |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location |
| angularjs.js:28:33:28:40 | location |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location |
| angularjs.js:31:28:31:35 | location |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location |
| angularjs.js:34:18:34:25 | location |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location |
| angularjs.js:40:18:40:25 | location |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location |
| angularjs.js:44:17:44:24 | location |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location |
| angularjs.js:47:16:47:23 | location |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location |
| angularjs.js:50:22:50:29 | location |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:46 | location.search |
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
@@ -122,8 +108,7 @@ nodes
| react-native.js:8:32:8:38 | tainted |
| react-native.js:10:23:10:29 | tainted |
| react-native.js:10:23:10:29 | tainted |
| react.js:10:56:10:72 | document.location |
| react.js:10:56:10:72 | document.location |
| react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:77 | documen ... on.hash |
| template-sinks.js:12:9:12:31 | tainted |
@@ -145,36 +130,29 @@ nodes
| template-sinks.js:20:27:20:33 | tainted |
| template-sinks.js:21:21:21:27 | tainted |
| template-sinks.js:21:21:21:27 | tainted |
| tst.js:2:6:2:22 | document.location |
| tst.js:2:6:2:22 | document.location |
| tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location |
| tst.js:5:12:5:28 | document.location |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location |
| tst.js:14:10:14:26 | document.location |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location |
| tst.js:17:21:17:37 | document.location |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location |
| tst.js:20:30:20:46 | document.location |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:11:23:27 | document.location |
| tst.js:23:11:23:27 | document.location |
| tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:26:26:26:33 | location |
| tst.js:26:26:26:33 | location |
| tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:53 | locatio ... ring(1) |
@@ -191,62 +169,20 @@ edges
| NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name |
| NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
| NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
@@ -287,10 +223,7 @@ edges
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:72 | document.location | react.js:10:56:10:77 | documen ... on.hash |
| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash |
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:14:17:14:23 | tainted |
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:14:17:14:23 | tainted |
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:15:16:15:22 | tainted |
@@ -309,33 +242,23 @@ edges
| template-sinks.js:12:9:12:31 | tainted | template-sinks.js:21:21:21:27 | tainted |
| template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:12:9:12:31 | tainted |
| template-sinks.js:12:19:12:31 | req.query.foo | template-sinks.js:12:9:12:31 | tainted |
| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
#select

47
javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
View File

@@ -3,26 +3,21 @@ nodes
| electron.js:4:12:4:22 | window.name |
| electron.js:7:20:7:29 | getTaint() |
| electron.js:7:20:7:29 | getTaint() |
| react.js:10:60:10:76 | document.location |
| react.js:10:60:10:76 | document.location |
| react.js:10:60:10:81 | documen ... on.hash |
| react.js:10:60:10:81 | documen ... on.hash |
| react.js:21:24:21:40 | document.location |
| react.js:21:24:21:40 | document.location |
| react.js:10:60:10:81 | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash |
| react.js:28:43:28:59 | document.location |
| react.js:28:43:28:59 | document.location |
| react.js:21:24:21:45 | documen ... on.hash |
| react.js:28:43:28:64 | documen ... on.hash |
| react.js:28:43:28:64 | documen ... on.hash |
| react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:34:43:34:59 | document.location |
| react.js:34:43:34:59 | document.location |
| react.js:34:43:34:64 | documen ... on.hash |
| react.js:34:43:34:64 | documen ... on.hash |
| react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:40:19:40:35 | document.location |
| react.js:40:19:40:35 | document.location |
| react.js:40:19:40:40 | documen ... on.hash |
| react.js:40:19:40:40 | documen ... on.hash |
| react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:50 | documen ... bstr(1) |
@@ -193,24 +188,18 @@ edges
| electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
| electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
| electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
| react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash |
| react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash |
| react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash |
| react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash |
| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
| react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:45 | documen ... on.hash |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
@@ -360,11 +349,11 @@ edges
| typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
#select
| electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection due to $@. | electron.js:4:12:4:22 | window.name | user-provided value |
| react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:10:60:10:76 | document.location | user-provided value |
| react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
| react.js:28:43:28:74 | documen ... bstr(1) | react.js:28:43:28:59 | document.location | react.js:28:43:28:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
| react.js:34:43:34:74 | documen ... bstr(1) | react.js:34:43:34:59 | document.location | react.js:34:43:34:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
| react.js:40:19:40:50 | documen ... bstr(1) | react.js:40:19:40:35 | document.location | react.js:40:19:40:50 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:40:19:40:35 | document.location | user-provided value |
| react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:10:60:10:81 | documen ... on.hash | user-provided value |
| react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:45 | documen ... on.hash | user-provided value |
| react.js:28:43:28:74 | documen ... bstr(1) | react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:28:43:28:64 | documen ... on.hash | user-provided value |
| react.js:34:43:34:74 | documen ... bstr(1) | react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:34:43:34:64 | documen ... on.hash | user-provided value |
| react.js:40:19:40:50 | documen ... bstr(1) | react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:40:19:40:40 | documen ... on.hash | user-provided value |
| sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
| sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
| sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |

10
javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected
View File

@@ -1,7 +1,6 @@
nodes
| domparser.js:2:7:2:36 | src |
| domparser.js:2:13:2:29 | document.location |
| domparser.js:2:13:2:29 | document.location |
| domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:11:55:11:57 | src |
| domparser.js:11:55:11:57 | src |
@@ -33,8 +32,7 @@ edges
| domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src |
| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src |
| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src |
| domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
| domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
| libxml.noent.js:11:21:11:41 | req.par ... e-xml") | libxml.noent.js:11:21:11:41 | req.par ... e-xml") |
@@ -47,8 +45,8 @@ edges
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
#select
| domparser.js:11:55:11:57 | src | domparser.js:2:13:2:29 | document.location | domparser.js:11:55:11:57 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
| domparser.js:14:57:14:59 | src | domparser.js:2:13:2:29 | document.location | domparser.js:14:57:14:59 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
| domparser.js:11:55:11:57 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:55:11:57 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
| domparser.js:14:57:14:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:14:57:14:59 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | user-provided value |
| libxml.noent.js:11:21:11:41 | req.par ... e-xml") | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | user-provided value |
| libxml.noent.js:14:27:14:47 | req.par ... e-xml") | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | user-provided value |

10
javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.expected
View File

@@ -5,8 +5,7 @@ nodes
| XpathInjectionBad.js:9:34:9:96 | "//user ... text()" |
| XpathInjectionBad.js:9:34:9:96 | "//user ... text()" |
| XpathInjectionBad.js:9:66:9:73 | userName |
| tst2.js:1:13:1:29 | document.location |
| tst2.js:1:13:1:29 | document.location |
| tst2.js:1:13:1:34 | documen ... on.hash |
| tst2.js:1:13:1:34 | documen ... on.hash |
| tst2.js:1:13:1:47 | documen ... ring(1) |
| tst2.js:2:27:2:31 | query |
@@ -30,8 +29,7 @@ edges
| XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | XpathInjectionBad.js:6:7:6:38 | userName |
| XpathInjectionBad.js:9:66:9:73 | userName | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" |
| XpathInjectionBad.js:9:66:9:73 | userName | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" |
| tst2.js:1:13:1:29 | document.location | tst2.js:1:13:1:34 | documen ... on.hash |
| tst2.js:1:13:1:29 | document.location | tst2.js:1:13:1:34 | documen ... on.hash |
| tst2.js:1:13:1:34 | documen ... on.hash | tst2.js:1:13:1:47 | documen ... ring(1) |
| tst2.js:1:13:1:34 | documen ... on.hash | tst2.js:1:13:1:47 | documen ... ring(1) |
| tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:2:27:2:31 | query |
| tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:2:27:2:31 | query |
@@ -49,8 +47,8 @@ edges
| tst.js:6:17:6:37 | req.par ... rName") | tst.js:6:7:6:37 | tainted |
#select
| XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | $@ flows here and is used in an XPath expression. | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | User-provided value |
| tst2.js:2:27:2:31 | query | tst2.js:1:13:1:29 | document.location | tst2.js:2:27:2:31 | query | $@ flows here and is used in an XPath expression. | tst2.js:1:13:1:29 | document.location | User-provided value |
| tst2.js:3:19:3:23 | query | tst2.js:1:13:1:29 | document.location | tst2.js:3:19:3:23 | query | $@ flows here and is used in an XPath expression. | tst2.js:1:13:1:29 | document.location | User-provided value |
| tst2.js:2:27:2:31 | query | tst2.js:1:13:1:34 | documen ... on.hash | tst2.js:2:27:2:31 | query | $@ flows here and is used in an XPath expression. | tst2.js:1:13:1:34 | documen ... on.hash | User-provided value |
| tst2.js:3:19:3:23 | query | tst2.js:1:13:1:34 | documen ... on.hash | tst2.js:3:19:3:23 | query | $@ flows here and is used in an XPath expression. | tst2.js:1:13:1:34 | documen ... on.hash | User-provided value |
| tst.js:7:15:7:21 | tainted | tst.js:6:17:6:37 | req.par ... rName") | tst.js:7:15:7:21 | tainted | $@ flows here and is used in an XPath expression. | tst.js:6:17:6:37 | req.par ... rName") | User-provided value |
| tst.js:8:16:8:22 | tainted | tst.js:6:17:6:37 | req.par ... rName") | tst.js:8:16:8:22 | tainted | $@ flows here and is used in an XPath expression. | tst.js:6:17:6:37 | req.par ... rName") | User-provided value |
| tst.js:9:17:9:23 | tainted | tst.js:6:17:6:37 | req.par ... rName") | tst.js:9:17:9:23 | tainted | $@ flows here and is used in an XPath expression. | tst.js:6:17:6:37 | req.par ... rName") | User-provided value |

28
javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected
View File

@@ -1,13 +1,11 @@
nodes
| closure.js:2:7:2:36 | src |
| closure.js:2:13:2:29 | document.location |
| closure.js:2:13:2:29 | document.location |
| closure.js:2:13:2:36 | documen ... .search |
| closure.js:2:13:2:36 | documen ... .search |
| closure.js:4:24:4:26 | src |
| closure.js:4:24:4:26 | src |
| domparser.js:2:7:2:36 | src |
| domparser.js:2:13:2:29 | document.location |
| domparser.js:2:13:2:29 | document.location |
| domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:6:37:6:39 | src |
| domparser.js:6:37:6:39 | src |
@@ -19,8 +17,7 @@ nodes
| expat.js:6:16:6:36 | req.par ... e-xml") |
| expat.js:6:16:6:36 | req.par ... e-xml") |
| jquery.js:2:7:2:36 | src |
| jquery.js:2:13:2:29 | document.location |
| jquery.js:2:13:2:29 | document.location |
| jquery.js:2:13:2:36 | documen ... .search |
| jquery.js:2:13:2:36 | documen ... .search |
| jquery.js:5:14:5:16 | src |
| jquery.js:5:14:5:16 | src |
@@ -39,8 +36,7 @@ nodes
edges
| closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src |
| closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src |
| closure.js:2:13:2:29 | document.location | closure.js:2:13:2:36 | documen ... .search |
| closure.js:2:13:2:29 | document.location | closure.js:2:13:2:36 | documen ... .search |
| closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src |
| closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src |
| domparser.js:2:7:2:36 | src | domparser.js:6:37:6:39 | src |
| domparser.js:2:7:2:36 | src | domparser.js:6:37:6:39 | src |
@@ -48,26 +44,24 @@ edges
| domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src |
| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src |
| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src |
| domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
| domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") |
| jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src |
| jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src |
| jquery.js:2:13:2:29 | document.location | jquery.js:2:13:2:36 | documen ... .search |
| jquery.js:2:13:2:29 | document.location | jquery.js:2:13:2:36 | documen ... .search |
| jquery.js:2:13:2:36 | documen ... .search | jquery.js:2:7:2:36 | src |
| jquery.js:2:13:2:36 | documen ... .search | jquery.js:2:7:2:36 | src |
| libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
#select
| closure.js:4:24:4:26 | src | closure.js:2:13:2:29 | document.location | closure.js:4:24:4:26 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | closure.js:2:13:2:29 | document.location | user-provided value |
| domparser.js:6:37:6:39 | src | domparser.js:2:13:2:29 | document.location | domparser.js:6:37:6:39 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
| domparser.js:11:55:11:57 | src | domparser.js:2:13:2:29 | document.location | domparser.js:11:55:11:57 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
| domparser.js:14:57:14:59 | src | domparser.js:2:13:2:29 | document.location | domparser.js:14:57:14:59 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
| closure.js:4:24:4:26 | src | closure.js:2:13:2:36 | documen ... .search | closure.js:4:24:4:26 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | closure.js:2:13:2:36 | documen ... .search | user-provided value |
| domparser.js:6:37:6:39 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:6:37:6:39 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
| domparser.js:11:55:11:57 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:55:11:57 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
| domparser.js:14:57:14:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:14:57:14:59 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value |
| jquery.js:5:14:5:16 | src | jquery.js:2:13:2:29 | document.location | jquery.js:5:14:5:16 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:29 | document.location | user-provided value |
| jquery.js:5:14:5:16 | src | jquery.js:2:13:2:36 | documen ... .search | jquery.js:5:14:5:16 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:36 | documen ... .search | user-provided value |
| libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.js:6:21:6:41 | req.par ... e-xml") | user-provided value |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | user-provided value |
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |