Merge pull request #6284 from erik-krogh/qs

Approved by asgerf
2026-05-01 19:55:15 +02:00 · 2021-07-16 02:11:59 -07:00
parent c1d0e52492 f462c9bb76
commit a02a82caac
4 changed files with 457 additions and 39 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll
@@ -96,13 +96,8 @@ module uridashjs {
   */
  private class Step extends TaintTracking::SharedTaintStep {
    override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(string name, DataFlow::CallNode call |
-        name = "parse" or
-        name = "serialize" or
-        name = "resolve" or
-        name = "normalize"
-      |
-        call = uridashjsMember(name).getACall() and
+      exists(DataFlow::CallNode call |
+        call = uridashjsMember(["parse", "serialize", "resolve", "normalize"]).getACall() and
        pred = call.getAnArgument() and
        succ = call
      )
@@ -126,13 +121,8 @@ module punycode {
   */
  private class Step extends TaintTracking::SharedTaintStep {
    override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(string name, DataFlow::CallNode call |
-        name = "decode" or
-        name = "encode" or
-        name = "toUnicode" or
-        name = "toASCII"
-      |
-        call = punycodeMember(name).getACall() and
+      exists(DataFlow::CallNode call |
+        call = punycodeMember(["decode", "encode", "toUnicode", "toASCII"]).getACall() and
        pred = call.getAnArgument() and
        succ = call
      )
@@ -193,11 +183,8 @@ module querystringify {
   */
  private class Step extends TaintTracking::SharedTaintStep {
    override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(string name, DataFlow::CallNode call |
-        name = "parse" or
-        name = "stringify"
-      |
-        call = querystringifyMember(name).getACall() and
+      exists(DataFlow::CallNode call |
+        call = querystringifyMember(["parse", "stringify"]).getACall() and
        pred = call.getAnArgument() and
        succ = call
      )
@@ -221,13 +208,8 @@ module querydashstring {
   */
  private class Step extends TaintTracking::SharedTaintStep {
    override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(string name, DataFlow::CallNode call |
-        name = "parse" or
-        name = "extract" or
-        name = "parseUrl" or
-        name = "stringify"
-      |
-        call = querydashstringMember(name).getACall() and
+      exists(DataFlow::CallNode call |
+        call = querydashstringMember(["parse", "extract", "parseUrl", "stringify"]).getACall() and
        pred = call.getAnArgument() and
        succ = call
      )
@@ -249,12 +231,8 @@ module url {
   */
  private class Step extends TaintTracking::SharedTaintStep {
    override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(string name, DataFlow::CallNode call |
-        name = "parse" or
-        name = "format" or
-        name = "resolve"
-      |
-        call = urlMember(name).getACall() and
+      exists(DataFlow::CallNode call |
+        call = urlMember(["parse", "format", "resolve"]).getACall() and
        pred = call.getAnArgument() and
        succ = call
      )
@@ -278,13 +256,8 @@ module querystring {
   */
  private class Step extends TaintTracking::SharedTaintStep {
    override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(string name, DataFlow::CallNode call |
-        name = "escape" or
-        name = "unescape" or
-        name = "parse" or
-        name = "stringify"
-      |
-        call = querystringMember(name).getACall() and
+      exists(DataFlow::CallNode call |
+        call = querystringMember(["escape", "unescape", "parse", "stringify"]).getACall() and
        pred = call.getAnArgument() and
        succ = call
      )
@@ -292,6 +265,45 @@ module querystring {
  }
 }

+/**
+ * A taint step through a call to [qs](https://npmjs.com/package/qs)
+ */
+private class QsStep extends TaintTracking::SharedTaintStep {
+  override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call = API::moduleImport("qs").getMember(["parse", "stringify"]).getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
+
+/**
+ * A taint step through a call to [normalize-url](https://npmjs.com/package/normalize-url)
+ */
+private class NormalizeUrlStep extends TaintTracking::SharedTaintStep {
+  override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("normalize-url").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
+
+/**
+ * A taint step through a call to [parseqs](https://npmjs.com/package/parseqs).
+ */
+private class ParseQsStep extends TaintTracking::SharedTaintStep {
+  override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call = API::moduleImport("parseqs").getMember(["encode", "decode"]).getACall() and
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
+
 /**
 * Provides steps for the `goog.Uri` class in the closure library.
 */
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1285,6 +1285,136 @@ nodes
 | TaintedPath.js:195:50:195:53 | path |
 | TaintedPath.js:195:50:195:53 | path |
 | TaintedPath.js:195:50:195:53 | path |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:38:203:44 | req.url |
+| TaintedPath.js:203:38:203:44 | req.url |
+| TaintedPath.js:203:38:203:44 | req.url |
+| TaintedPath.js:203:38:203:44 | req.url |
+| TaintedPath.js:203:38:203:44 | req.url |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url |
+| TaintedPath.js:204:51:204:57 | req.url |
+| TaintedPath.js:204:51:204:57 | req.url |
+| TaintedPath.js:204:51:204:57 | req.url |
+| TaintedPath.js:204:51:204:57 | req.url |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:44:206:50 | req.url |
+| TaintedPath.js:206:44:206:50 | req.url |
+| TaintedPath.js:206:44:206:50 | req.url |
+| TaintedPath.js:206:44:206:50 | req.url |
+| TaintedPath.js:206:44:206:50 | req.url |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
@@ -5626,6 +5756,262 @@ edges
 | TaintedPath.js:195:50:195:53 | path | TaintedPath.js:195:29:195:54 | pathMod ... e(path) |
 | TaintedPath.js:195:50:195:53 | path | TaintedPath.js:195:29:195:54 | pathMod ... e(path) |
 | TaintedPath.js:195:50:195:53 | path | TaintedPath.js:195:29:195:54 | pathMod ... e(path) |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:29:206:51 | parseqs ... eq.url) | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
+| TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:51 | parseqs ... eq.url) |
 | normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
 | normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
 | normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
@@ -8923,6 +9309,9 @@ edges
 | TaintedPath.js:179:29:179:57 | path.re ... /g, '') | TaintedPath.js:166:24:166:30 | req.url | TaintedPath.js:179:29:179:57 | path.re ... /g, '') | This path depends on $@. | TaintedPath.js:166:24:166:30 | req.url | a user-provided value |
 | TaintedPath.js:194:29:194:73 | "prefix ... +/, '') | TaintedPath.js:166:24:166:30 | req.url | TaintedPath.js:194:29:194:73 | "prefix ... +/, '') | This path depends on $@. | TaintedPath.js:166:24:166:30 | req.url | a user-provided value |
 | TaintedPath.js:195:29:195:84 | pathMod ... +/, '') | TaintedPath.js:166:24:166:30 | req.url | TaintedPath.js:195:29:195:84 | pathMod ... +/, '') | This path depends on $@. | TaintedPath.js:166:24:166:30 | req.url | a user-provided value |
+| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo | TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo | This path depends on $@. | TaintedPath.js:203:38:203:44 | req.url | a user-provided value |
+| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo | TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo | This path depends on $@. | TaintedPath.js:204:51:204:57 | req.url | a user-provided value |
+| TaintedPath.js:206:29:206:55 | parseqs ... rl).foo | TaintedPath.js:206:44:206:50 | req.url | TaintedPath.js:206:29:206:55 | parseqs ... rl).foo | This path depends on $@. | TaintedPath.js:206:44:206:50 | req.url | a user-provided value |
 | normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -193,4 +193,15 @@ var server = http.createServer(function(req, res) {

  res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // NOT OK - not normalized
  res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // NOT OK (can be absolute)
+});
+
+import normalizeUrl from 'normalize-url';
+
+var server = http.createServer(function(req, res) {
+  // tests for a few more uri-libraries
+  const qs = require("qs");
+  res.write(fs.readFileSync(qs.parse(req.url).foo)); // NOT OK
+  res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // NOT OK
+  const parseqs = require("parseqs");
+  res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // NOT OK
 });