JS: Added test cases with new RegExp for Tainted paths, currently works only with literals

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -221,10 +221,10 @@ module TaintedPath {
       this instanceof StringReplaceCall and
       input = this.getReceiver() and
       output = this and
-      not exists(RegExpLiteral literal, RegExpTerm term |
-        this.(StringReplaceCall).getRegExp().asExpr() = literal and
+      not exists(DataFlow::RegExpCreationNode regexp, RegExpTerm term |
+        this.(StringReplaceCall).getRegExp() = regexp and
         this.(StringReplaceCall).isGlobal() and
-        literal.getRoot() = term
+        regexp.getRoot() = term
       |
         term.getAMatchedString() = "/" or
         term.getAMatchedString() = "." or

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected

@@ -0,0 +1 @@
+| TaintedPath.js:207 | did not expect an alert, but found an alert for TaintedPath | OK -- Might be okay depending on what unknownFlags evaluates to. |  |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -1517,6 +1517,141 @@ nodes
 | TaintedPath.js:198:35:198:38 | path |
 | TaintedPath.js:198:35:198:38 | path |
 | TaintedPath.js:198:35:198:38 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:24:202:30 | req.url |
+| TaintedPath.js:202:24:202:30 | req.url |
+| TaintedPath.js:202:24:202:30 | req.url |
+| TaintedPath.js:202:24:202:30 | req.url |
+| TaintedPath.js:202:24:202:30 | req.url |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') |
 | examples/TaintedPath.js:8:7:8:52 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath |
@@ -6680,6 +6815,182 @@ edges
 | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
 | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
 | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:207:29:207:32 | path |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
+| TaintedPath.js:207:29:207:32 | path | TaintedPath.js:207:29:207:97 | path.re ... )), '') |
 | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
@@ -10499,6 +10810,8 @@ edges
 | TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
 | TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
 | TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
+| TaintedPath.js:207:29:207:97 | path.re ... )), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:207:29:207:97 | path.re ... )), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
 | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value |
 | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value |
 | handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js

@@ -197,3 +197,12 @@ var server = http.createServer(function(req, res) {
   cp.execFileSync("foobar", ["args"], {cwd: path}); // NOT OK
   cp.execFileSync("foobar", {cwd: path}); // NOT OK
 });
+
+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+
+  // Removal of forward-slash or dots.
+  res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK
+  res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // NOT OK.
+  res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK -- Might be okay depending on what unknownFlags evaluates to.
+});