Merge branch 'master' into js/improve-getAResponseDataNode

2026-05-01 03:35:13 +02:00 · 2019-09-17 13:18:41 +02:00
parent 9aa0e711b2 396a72db5f
commit ac6554b7da
220 changed files with 7667 additions and 2867 deletions
--- a/javascript/ql/src/Declarations/DeadStore.qll
+++ b/javascript/ql/src/Declarations/DeadStore.qll
@@ -12,7 +12,7 @@ predicate isDefaultInit(Expr e) {
  // primitive default values: zero, false, empty string, and (integer) -1
  e.(NumberLiteral).getValue().toFloat() = 0.0 or
  e.(NegExpr).getOperand().(NumberLiteral).getValue() = "1" or
-  e.(ConstantString).getStringValue() = "" or
+  e.getStringValue() = "" or
  e.(BooleanLiteral).getValue() = "false" or
  // initialising to an empty array or object literal, even if unnecessary,
  // can convey useful type information to the reader
--- a/javascript/ql/src/Declarations/UnusedVariable.qll
+++ b/javascript/ql/src/Declarations/UnusedVariable.qll
@@ -3,6 +3,7 @@
 */

 import javascript
+import LanguageFeatures.UnusedIndexVariable

 /**
 * A local variable that is neither used nor exported, and is not a parameter
@@ -16,6 +17,8 @@ class UnusedLocal extends LocalVariable {
    not exists(ClassExpr ce | this = ce.getVariable()) and
    not exists(ExportDeclaration ed | ed.exportsAs(this, _)) and
    not exists(LocalVarTypeAccess type | type.getVariable() = this) and
+    // avoid double reporting
+    not unusedIndexVariable(_, this, _) and
    // common convention: variables with leading underscore are intentionally unused
    getName().charAt(0) != "_"
  }
--- a/javascript/ql/src/Expressions/HapaxLegomenon.ql
+++ b/javascript/ql/src/Expressions/HapaxLegomenon.ql
@@ -23,7 +23,7 @@ int countOccurrences(string name) {
      id.(Identifier).getName() = name
      or
      // count string literals as well to capture meta-programming
-      id.(ConstantString).getStringValue() = name
+      id.getStringValue() = name
    )
 }

--- a/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.qhelp
+++ b/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.qhelp
@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+If the loop variable of a <code>for</code> loop ranges over the indices of an array, that variable
+would normally be used as an array index in the body of the loop. If, instead, the loop body only
+refers to array elements at constant indices, this may indicate a logic error or leftover testing
+code.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Examine the loop carefully to ensure it is behaving as expected. You may want to consider using
+a <code>for</code>-<code>of</code> loop to iterate over all elements of an array without the need
+for error-prone index manipulations.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows a function that is intended to sum up the elements of an array
+<code>xs</code>. The loop variable <code>i</code> is counted up from zero to
+<code>xs.length-1</code>, but instead of adding <code>xs[i]</code> to the running sum
+<code>res</code>, the code adds <code>xs[0]</code>, the first element of <code>xs</code>,
+to it, which is likely a mistake:
+</p>
+<sample src="examples/UnusedIndexVariable.js"/>
+<p>
+The problem can be fixed by adding <code>xs[i]</code> instead:
+</p>
+<sample src="examples/UnusedIndexVariableGood.js"/>
+<p>
+Alternatively, the function can be written more succinctly using a <code>for</code>-<code>of</code>
+loop:
+</p>
+<sample src="examples/UnusedIndexVariableGood2.js"/>
+</example>
+
+<references>
+<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for">for</a></li>
+<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for...of">for...of</a></li>
+</references>
+</qhelp>
--- a/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.ql
+++ b/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Unused index variable
+ * @description Iterating over an array but not using the index variable to access array elements
+ *              may indicate a typo or logic error.
+ * @kind problem
+ * @problem.severity warning
+ * @id js/unused-index-variable
+ * @precision high
+ * @tags correctness
+ */
+
+import javascript
+import UnusedIndexVariable
+
+from RelationalComparison rel, Variable idx, Variable v
+where unusedIndexVariable(rel, idx, v)
+select rel, "Index variable " + idx + " is never used to access elements of " + v + "."
--- a/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.qll
+++ b/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.qll
@@ -0,0 +1,40 @@
+/**
+ * Provides a predicate for identifying unused index variables in loops.
+ */
+
+import javascript
+
+/**
+ * Holds if `arr` is of the form `base[idx]` and is nested inside loop `fs`.
+ */
+private predicate arrayIndexInLoop(IndexExpr arr, Variable base, Expr idx, ForStmt fs) {
+  arr.getEnclosingStmt().getParentStmt*() = fs.getBody() and
+  arr.getBase() = base.getAnAccess() and
+  arr.getIndex() = idx
+}
+
+/**
+ * Gets `e` or a sub-expression `s` resulting from `e` by peeling off unary and binary
+ * operators, increments, decrements, type assertions, parentheses, sequence expressions,
+ * and assignments.
+ */
+private Expr unwrap(Expr e) {
+  result = e or
+  result = unwrap(e.(UpdateExpr).getOperand()) or
+  result = unwrap(e.(UnaryExpr).getOperand()) or
+  result = unwrap(e.(BinaryExpr).getAnOperand()) or
+  result = unwrap(e.getUnderlyingValue())
+}
+
+/**
+ * Holds if `rel` is a for-loop condition of the form `idx <= v.length`, but all array
+ * indices `v[c]` inside the loop body (of which there must be at least one) use a constant
+ * index `c` instead of an index based on `idx`.
+ */
+predicate unusedIndexVariable(RelationalComparison rel, Variable idx, Variable v) {
+  exists(ForStmt fs | fs.getTest() = rel |
+    unwrap(rel.getLesserOperand()) = idx.getAnAccess() and
+    rel.getGreaterOperand().(PropAccess).accesses(v.getAnAccess(), "length") and
+    forex(IndexExpr arr, Expr e | arrayIndexInLoop(arr, v, e, fs) | exists(e.getIntValue()))
+  )
+}
--- a/javascript/ql/src/LanguageFeatures/examples/UnusedIndexVariable.js
+++ b/javascript/ql/src/LanguageFeatures/examples/UnusedIndexVariable.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var i=0; i<xs.length; ++i)
+    res += xs[0]; // BAD: should be xs[i]
+  return res;
+}
--- a/javascript/ql/src/LanguageFeatures/examples/UnusedIndexVariableGood.js
+++ b/javascript/ql/src/LanguageFeatures/examples/UnusedIndexVariableGood.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var i=0; i<xs.length; ++i)
+    res += xs[i];
+  return res;
+}
--- a/javascript/ql/src/LanguageFeatures/examples/UnusedIndexVariableGood2.js
+++ b/javascript/ql/src/LanguageFeatures/examples/UnusedIndexVariableGood2.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var x of xs)
+    res += x;
+  return res;
+}
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -122,6 +122,10 @@ predicate isDelimiterUnwrapper(
    left = "{" and right = "}"
    or
    left = "(" and right = ")"
+    or
+    left = "\"" and right = "\""
+    or
+    left = "'" and right = "'"
  |
    removesFirstOccurence(leftUnwrap, left) and
    removesFirstOccurence(rightUnwrap, right) and
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -13,6 +13,7 @@

 import javascript
 import semmle.javascript.RestrictedLocations
+import semmle.javascript.security.SensitiveActions

 /**
 * Holds if some JSON or YAML file contains a property with name `key`
@@ -56,7 +57,8 @@ where
    key.toLowerCase() = "password" and
    pwd = val and
    // exclude interpolations of environment variables
-    not val.regexpMatch("\\$.*|%.*%")
+    not val.regexpMatch("\\$.*|%.*%") and
+    not PasswordHeuristics::isDummyPassword(val)
    or
    key.toLowerCase() != "readme" and
    // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -22,8 +22,14 @@ where
  // use source value in message if it's available
  if source.getNode().asExpr() instanceof ConstantString
  then
-    value = "The hard-coded value \"" + source.getNode().asExpr().(ConstantString).getStringValue() +
-        "\""
+    exists(string val | val = source.getNode().getStringValue() |
+      // exclude dummy passwords
+      not (
+        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
+        PasswordHeuristics::isDummyPassword(val)
+      ) and
+      value = "The hard-coded value \"" + val + "\""
+    )
  else value = "This hard-coded value"
 select source.getNode(), source, sink, value + " is used as $@.", sink.getNode(),
  sink.getNode().(Sink).getKind()
--- a/javascript/ql/src/semmle/javascript/AMD.qll
+++ b/javascript/ql/src/semmle/javascript/AMD.qll
@@ -189,7 +189,7 @@ private class AmdDependencyPath extends PathExprCandidate {
 private class ConstantAmdDependencyPathElement extends PathExprInModule, ConstantString {
  ConstantAmdDependencyPathElement() { this = any(AmdDependencyPath amd).getAPart() }

-  override string getValue() { result = this.(ConstantString).getStringValue() }
+  override string getValue() { result = getStringValue() }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/Closure.qll
+++ b/javascript/ql/src/semmle/javascript/Closure.qll
@@ -56,7 +56,7 @@ module Closure {
    ClosureNamespaceRef::Range {
    DefaultNamespaceRef() { this = DataFlow::globalVarRef("goog").getAMethodCall() }

-    override string getClosureNamespace() { result = getArgument(0).asExpr().getStringValue() }
+    override string getClosureNamespace() { result = getArgument(0).getStringValue() }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/ES2015Modules.qll
+++ b/javascript/ql/src/semmle/javascript/ES2015Modules.qll
@@ -82,7 +82,7 @@ class ImportDeclaration extends Stmt, Import, @importdeclaration {
 private class LiteralImportPath extends PathExprInModule, ConstantString {
  LiteralImportPath() { exists(ImportDeclaration req | this = req.getChildExpr(-1)) }

-  override string getValue() { result = this.(ConstantString).getStringValue() }
+  override string getValue() { result = getStringValue() }
 }

 /**
@@ -596,7 +596,7 @@ abstract class ReExportDeclaration extends ExportDeclaration {
 private class LiteralReExportPath extends PathExprInModule, ConstantString {
  LiteralReExportPath() { exists(ReExportDeclaration bred | this = bred.getImportedPath()) }

-  override string getValue() { result = this.(ConstantString).getStringValue() }
+  override string getValue() { result = getStringValue() }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/Expr.qll
+++ b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -2600,7 +2600,7 @@ private class LiteralDynamicImportPath extends PathExprInModule, ConstantString
    exists(DynamicImportExpr di | this.getParentExpr*() = di.getSource())
  }

-  override string getValue() { result = this.(ConstantString).getStringValue() }
+  override string getValue() { result = getStringValue() }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/NodeJS.qll
+++ b/javascript/ql/src/semmle/javascript/NodeJS.qll
@@ -269,7 +269,7 @@ private class RequirePath extends PathExprCandidate {
 private class ConstantRequirePathElement extends PathExprInModule, ConstantString {
  ConstantRequirePathElement() { this = any(RequirePath rp).getAPart() }

-  override string getValue() { result = this.getStringValue() }
+  override string getValue() { result = getStringValue() }
 }

 /** A `__dirname` path expression. */
--- a/javascript/ql/src/semmle/javascript/StandardLibrary.qll
+++ b/javascript/ql/src/semmle/javascript/StandardLibrary.qll
@@ -17,7 +17,7 @@ class CallToObjectDefineProperty extends DataFlow::MethodCallNode {
  DataFlow::Node getBaseObject() { result = getArgument(0) }

  /** Gets the name of the property being defined, if it can be determined. */
-  string getPropertyName() { result = getArgument(1).asExpr().(ConstantString).getStringValue() }
+  string getPropertyName() { result = getArgument(1).getStringValue() }

  /** Gets the data flow node denoting the descriptor of the property being defined. */
  DataFlow::Node getPropertyDescriptor() { result = getArgument(2) }
--- a/javascript/ql/src/semmle/javascript/TypeScript.qll
+++ b/javascript/ql/src/semmle/javascript/TypeScript.qll
@@ -222,7 +222,7 @@ private class LiteralExternalModulePath extends PathExprInModule, ConstantString
    exists(ExternalModuleReference emr | this.getParentExpr*() = emr.getExpression())
  }

-  override string getValue() { result = this.(ConstantString).getStringValue() }
+  override string getValue() { result = getStringValue() }
 }

 /** A TypeScript "export-assign" declaration. */
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -476,7 +476,7 @@ module ModuleImportNode {
      exists(AmdModuleDefinition amd, CallExpr req |
        req = amd.getARequireCall() and
        this = DataFlow::valueNode(req) and
-        path = req.getArgument(0).(ConstantString).getStringValue()
+        path = req.getArgument(0).getStringValue()
      )
    }

--- a/javascript/ql/src/semmle/javascript/dependencies/FrameworkLibraries.qll
+++ b/javascript/ql/src/semmle/javascript/dependencies/FrameworkLibraries.qll
@@ -390,7 +390,7 @@ private predicate mooToolsObject(ObjectExpr oe, TopLevel tl, string version) {
  |
    d.getBase() instanceof ThisExpr and
    d.getPropertyName() = "MooTools" and
-    version = oe.getPropertyByName("version").getInit().(ConstantString).getStringValue()
+    version = oe.getPropertyByName("version").getInit().getStringValue()
  )
 }

@@ -429,7 +429,7 @@ private class Prototype extends FrameworkLibraryWithGenericURL {
 private predicate prototypeObject(ObjectExpr oe, TopLevel tl, string version) {
  exists(VariableDeclarator vd | tl = vd.getTopLevel() and oe = vd.getInit() |
    vd.getBindingPattern().(Identifier).getName() = "Prototype" and
-    version = oe.getPropertyByName("Version").getInit().(ConstantString).getStringValue()
+    version = oe.getPropertyByName("Version").getInit().getStringValue()
  )
 }

@@ -468,7 +468,7 @@ private class Scriptaculous extends FrameworkLibraryWithGenericURL {
 private predicate scriptaculousObject(ObjectExpr oe, TopLevel tl, string version) {
  exists(VariableDeclarator vd | tl = vd.getTopLevel() and oe = vd.getInit() |
    vd.getBindingPattern().(Identifier).getName() = "Scriptaculous" and
-    version = oe.getPropertyByName("Version").getInit().(ConstantString).getStringValue()
+    version = oe.getPropertyByName("Version").getInit().getStringValue()
  )
 }

--- a/javascript/ql/src/semmle/javascript/frameworks/Electron.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Electron.qll
@@ -116,7 +116,7 @@ module Electron {
      Process getProcess() { result = process }

      /** Gets the name of the channel the callback is listening on. */
-      string getChannelName() { result = channel.asExpr().getStringValue() }
+      string getChannelName() { result = channel.getStringValue() }

      /** Gets the data flow node containing the message received by the callback. */
      DataFlow::Node getMessage() { result = getParameter(1) }
@@ -156,7 +156,7 @@ module Electron {

      override Process getProcess() { result = process }

-      override string getChannelName() { result = channel.asExpr().getStringValue() }
+      override string getChannelName() { result = channel.getStringValue() }
    }

    /**
@@ -186,7 +186,7 @@ module Electron {

      override Process getProcess() { result = callback.getProcess() }

-      override string getChannelName() { result = channel.asExpr().getStringValue() }
+      override string getChannelName() { result = channel.getStringValue() }
    }

    /**
@@ -221,7 +221,7 @@ module Electron {

      override Process getProcess() { result = Process::main() }

-      override string getChannelName() { result = channel.asExpr().getStringValue() }
+      override string getChannelName() { result = channel.getStringValue() }
    }

    /**
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -147,6 +147,48 @@ module Express {
      this.getRequestMethod() = that.getRequestMethod()
    }
  }
+  
+  /**
+   * A call that sets up a Passport router that includes the request object.
+   */
+  private class PassportRouteSetup extends HTTP::Servers::StandardRouteSetup, CallExpr {
+    DataFlow::ModuleImportNode importNode;
+    DataFlow::FunctionNode callback;
+  	
+    // looks for this pattern: passport.use(new Strategy({passReqToCallback: true}, callback))
+    PassportRouteSetup() {
+      importNode = DataFlow::moduleImport("passport") and
+      this = importNode.getAMemberCall("use").asExpr() and
+      exists(DataFlow::NewNode strategy | 
+      	strategy.flowsToExpr(this.getArgument(0)) and
+      	strategy.getNumArgument() = 2 and 
+      	// new Strategy({passReqToCallback: true}, ...)
+      	strategy.getOptionArgument(0, "passReqToCallback").mayHaveBooleanValue(true) and 
+      	callback.flowsTo(strategy.getArgument(1))
+      )
+    }
+    
+    override Expr getServer() { result = importNode.asExpr() }
+    
+    override DataFlow::SourceNode getARouteHandler() {
+      result = callback
+    }
+  }
+  
+  /**
+   * The callback given to passport in PassportRouteSetup. 
+   */
+  private class PassportRouteHandler extends RouteHandler, HTTP::Servers::StandardRouteHandler,
+    DataFlow::ValueNode {
+    override Function astNode;
+
+    PassportRouteHandler() { this = any(PassportRouteSetup setup).getARouteHandler() }
+
+    override SimpleParameter getRouteHandlerParameter(string kind) {
+      kind = "request" and 
+      result = astNode.getParameter(0)
+    }
+  }

  /**
   * An expression used as an Express route handler, such as `submitHandler` below:
--- a/javascript/ql/src/semmle/javascript/frameworks/xUnit.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/xUnit.qll
@@ -11,7 +11,7 @@ private predicate xUnitDetected() {
    mc.getParent() instanceof ExprStmt and
    mc = DataFlow::globalVarRef("Function").getAMemberCall("RegisterNamespace").asExpr() and
    mc.getNumArgument() = 1 and
-    mc.getArgument(0).(ConstantString).getStringValue() = "xUnit.js"
+    mc.getArgument(0).getStringValue() = "xUnit.js"
  )
 }

--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -245,3 +245,21 @@ class CleartextPasswordExpr extends SensitiveExpr {

  override SensitiveExpr::Classification getClassification() { none() }
 }
+
+/**
+ * Provides heuristics for classifying passwords.
+ */
+module PasswordHeuristics {
+  /**
+   * Holds if `password` looks like a deliberately weak password that the user should change.
+   */
+  bindingset[password]
+  predicate isDummyPassword(string password) {
+    password.length() < 4
+    or
+    exists(string normalized | normalized = password.toLowerCase() |
+      count(normalized.charAt(_)) = 1 or
+      normalized.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth).*")
+    )
+  }
+}
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -229,11 +229,11 @@ module TaintedPath {
   * Holds if `node` is a prefix of the string `../`.
   */
  private predicate isDotDotSlashPrefix(DataFlow::Node node) {
-    node.asExpr().getStringValue() + any(string s) = "../"
+    node.getStringValue() + any(string s) = "../"
    or
    // ".." + path.sep
    exists(StringOps::Concatenation conc | node = conc |
-      conc.getOperand(0).asExpr().getStringValue() = ".." and
+      conc.getOperand(0).getStringValue() = ".." and
      conc.getOperand(1).getALocalSource() = DataFlow::moduleMember("path", "sep") and
      conc.getNumOperand() = 2
    )
@@ -277,7 +277,7 @@ module TaintedPath {
      this = startsWith and
      not isDotDotSlashPrefix(startsWith.getSubstring()) and
      // do not confuse this with a simple isAbsolute() check
-      not startsWith.getSubstring().asExpr().getStringValue() = "/"
+      not startsWith.getSubstring().getStringValue() = "/"
    }

    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
@@ -308,7 +308,7 @@ module TaintedPath {
      )
      or
      exists(StringOps::StartsWith startsWith, string substring | this = startsWith |
-        startsWith.getSubstring().asExpr().getStringValue() = "/" + substring and
+        startsWith.getSubstring().getStringValue() = "/" + substring and
        operand = startsWith.getBaseString() and
        polarity = startsWith.getPolarity() and
        if substring = "" then negatable = true else negatable = false
--- a/javascript/ql/test/library-tests/SensitiveActions/DummyPasswords.expected
+++ b/javascript/ql/test/library-tests/SensitiveActions/DummyPasswords.expected
@@ -0,0 +1,9 @@
+|  | true |
+| XXXXXXXX | true |
+| abcdefgh | false |
+| admin | true |
+| change_me | true |
+| example_password | true |
+| insert-auth-from-gui | true |
+| root | true |
+| sOKY6ccizpmvF*32so%Q | false |
--- a/javascript/ql/test/library-tests/SensitiveActions/DummyPasswords.ql
+++ b/javascript/ql/test/library-tests/SensitiveActions/DummyPasswords.ql
@@ -0,0 +1,20 @@
+import javascript
+import semmle.javascript.security.SensitiveActions
+
+string getASamplePassword() {
+  result = "abcdefgh" or
+  result = "sOKY6ccizpmvF*32so%Q" or
+  result = "XXXXXXXX" or
+  result = "example_password" or
+  result = "change_me" or
+  result = "" or
+  result = "insert-auth-from-gui" or
+  result = "admin" or
+  result = "root"
+}
+
+from string password, boolean isDummy
+where
+  password = getASamplePassword() and
+  if PasswordHeuristics::isDummyPassword(password) then isDummy = true else isDummy = false
+select password, isDummy
--- a/javascript/ql/test/library-tests/StringConcatenation/ContainsTwo.ql
+++ b/javascript/ql/test/library-tests/StringConcatenation/ContainsTwo.ql
@@ -2,7 +2,7 @@ import javascript

 // Select all expressions whose string value contains the word "two"
 predicate containsTwo(DataFlow::Node node) {
-  node.asExpr().getStringValue().regexpMatch(".*two.*")
+  node.getStringValue().regexpMatch(".*two.*")
  or
  containsTwo(node.getAPredecessor())
  or
--- a/javascript/ql/test/library-tests/TypeScript/Namespaces/CheckBindings.ql
+++ b/javascript/ql/test/library-tests/TypeScript/Namespaces/CheckBindings.ql
@@ -5,10 +5,10 @@ class ResolveCall extends CallExpr {

  Variable getVariable() { result = this.getArgument(0).(VarUse).getVariable() }

-  string getExpectation() { result = this.getArgument(1).(ConstantString).getStringValue() }
+  string getExpectation() { result = this.getArgument(1).getStringValue() }

  string getDeclaredValue() {
-    result = getVariable().getAnAssignedExpr().(ConstantString).getStringValue()
+    result = getVariable().getAnAssignedExpr().getStringValue()
    or
    exists(NamespaceDeclaration decl | decl.getId() = getVariable().getADeclaration() |
      result = getNamespaceName(decl)
@@ -17,7 +17,7 @@ class ResolveCall extends CallExpr {
 }

 string getNamespaceName(NamespaceDeclaration decl) {
-  result = decl.getStmt(0).(ExprStmt).getExpr().(ConstantString).getStringValue()
+  result = decl.getStmt(0).(ExprStmt).getExpr().getStringValue()
  or
  not decl.getStmt(0).(ExprStmt).getExpr() instanceof ConstantString and
  result = "Namespace " + decl.getId() + " on line " +
--- a/javascript/ql/test/library-tests/frameworks/Express/src/passport.js
+++ b/javascript/ql/test/library-tests/frameworks/Express/src/passport.js
@@ -0,0 +1,29 @@
+var express = require("express");
+var passport = require('passport');
+var twitter = require('passport-twitter');
+
+passport.use(new twitter.Strategy({
+	consumerKey : "foo",
+	consumerSecret : "bar",
+	callbackURL : "baz"
+}, function(accessToken, refreshToken, profile, done) {
+	accessToken.body; // Not tainted. No passReqToCallback flag.
+}));
+
+passport.use(new twitter.Strategy({
+	consumerKey : "foo",
+	consumerSecret : "bar",
+	callbackURL : "baz",
+	passReqToCallback : false
+}, function(accessToken, refreshToken, profile, done) {
+	accessToken.body; // Not tainted. No passReqToCallback set to false.
+}));
+
+passport.use(new twitter.Strategy({
+	consumerKey : "foo",
+	consumerSecret : "bar",
+	callbackURL : "baz",
+	passReqToCallback : true
+}, function(req, accessToken, refreshToken, profile, done) {
+	req.body; // `passReqToCallback` is `true`, so `req` is assumed to be an Express request object, causing this to be a `RequestInputAccss`
+}));
--- a/javascript/ql/test/library-tests/frameworks/Express/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Express/tests.expected
@@ -197,6 +197,7 @@ test_isRequest
 | src/express.js:49:3:49:5 | req |
 | src/express.js:50:3:50:5 | req |
 | src/inheritedFromNode.js:7:2:7:4 | req |
+| src/passport.js:28:2:28:4 | req |
 | src/responseExprs.js:17:5:17:7 | req |
 test_RouteSetup_getRouter
 | src/auth.js:4:1:4:53 | app.use ... d' }})) | src/auth.js:1:13:1:32 | require('express')() |
@@ -279,6 +280,7 @@ test_RequestInputAccess
 | src/express.js:49:3:49:14 | req.hostname | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
 | src/express.js:50:3:50:32 | req.hea ... erName] | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
 | src/inheritedFromNode.js:7:2:7:8 | req.url | url | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
+| src/passport.js:28:2:28:9 | req.body | body | src/passport.js:27:4:29:1 | functio ... ccss`\\n} |
 test_SetCookie
 | src/express.js:31:3:31:26 | res.coo ...  'bar') | src/express.js:22:30:32:1 | functio ... ar');\\n} |
 | src/responseExprs.js:23:5:23:16 | res.cookie() | src/responseExprs.js:16:30:42:1 | functio ...     }\\n} |
@@ -448,6 +450,7 @@ test_ExpressSession
 | src/express-session.js:7:1:9:2 | session ... -3"]\\n}) | secret | src/express-session.js:8:13:8:44 | ["secre ... key-3"] |
 test_RequestBodyAccess
 | src/express.js:23:3:23:10 | req.body |
+| src/passport.js:28:2:28:9 | req.body |
 test_RouteSetup_getServer
 | src/csurf-example.js:20:1:23:2 | app.get ... ) })\\n}) | src/csurf-example.js:7:11:7:19 | express() |
 | src/csurf-example.js:25:1:27:2 | app.pos ... re')\\n}) | src/csurf-example.js:7:11:7:19 | express() |
@@ -918,6 +921,7 @@ test_RouterDefinition_RouterDefinition
 | src/subrouter.js:8:16:8:31 | express.Router() |
 test_RouteHandler_getARequestBodyAccess
 | src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:23:3:23:10 | req.body |
+| src/passport.js:27:4:29:1 | functio ... ccss`\\n} | src/passport.js:28:2:28:9 | req.body |
 test_RouterDefinition_getMiddlewareStack
 | src/auth.js:1:13:1:32 | require('express')() | src/auth.js:4:9:4:52 | basicAu ... rd' }}) |
 | src/csurf-example.js:7:11:7:19 | express() | src/csurf-example.js:18:9:18:30 | csrf({  ... true }) |
@@ -1023,6 +1027,7 @@ test_RequestExpr
 | src/express.js:49:3:49:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
 | src/express.js:50:3:50:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
 | src/inheritedFromNode.js:7:2:7:4 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
+| src/passport.js:28:2:28:4 | req | src/passport.js:27:4:29:1 | functio ... ccss`\\n} |
 | src/responseExprs.js:17:5:17:7 | req | src/responseExprs.js:16:30:42:1 | functio ...     }\\n} |
 test_RequestExprStandalone
 | typed_src/tst.ts:6:3:6:3 | x |
@@ -1055,4 +1060,5 @@ test_RouteHandler_getARequestExpr
 | src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:49:3:49:5 | req |
 | src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:50:3:50:5 | req |
 | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:7:2:7:4 | req |
+| src/passport.js:27:4:29:1 | functio ... ccss`\\n} | src/passport.js:28:2:28:4 | req |
 | src/responseExprs.js:16:30:42:1 | functio ...     }\\n} | src/responseExprs.js:17:5:17:7 | req |
--- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js
+++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js
@@ -0,0 +1,6 @@
+function sum(xs, i) {
+  var res = 0;
+  for(;i++<xs.length;) // NOT OK, but flagged by js/unused-index-variable
+    res += xs[0];
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.expected
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.expected
@@ -0,0 +1,2 @@
+| UnusedIndexVariable2.js:3:8:3:20 | i++<xs.length | Index variable i is never used to access elements of xs. |
+| UnusedIndexVariable.js:3:16:3:26 | i<xs.length | Index variable i is never used to access elements of xs. |
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var i=0; i<xs.length; ++i)
+    res += xs[0]; // BAD: should be xs[i]
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.qlref
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.qlref
@@ -0,0 +1 @@
+LanguageFeatures/UnusedIndexVariable.ql
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable2.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable2.js
@@ -0,0 +1,6 @@
+function sum(xs, i) {
+  var res = 0;
+  for(;i++<xs.length;)
+    res += xs[0]; // BAD: should be xs[i]
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var i=0; i<xs.length; ++i)
+    res += xs[i];
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood2.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood2.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var x of xs)
+    res += x;
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/tst.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/tst.js
@@ -0,0 +1,12 @@
+function isEmpty(xs) {
+  for(var i=0; i<xs.length; ++i)
+    return false;
+  return true;
+}
+
+function desk(xs) {
+  for(var i=0; i<xs.length; ++i)
+    if(xs[i] < xs[0])
+      return "yellow";
+  return [];
+}
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -192,3 +192,8 @@ app.get('/some/path', function(req, res) {
 	var indirect = /'/;
 	return s.replace(indirect, ""); // NOT OK
 });
+
+(function (s) {
+	s.replace('"', '').replace('"', ''); // OK
+	s.replace("'", "").replace("'", ""); // OK
+});
--- a/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
@@ -1,3 +1,3 @@
-| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
+| mysql-config.json:4:16:4:25 | "abcdefgh" | Hard-coded password 'abcdefgh' in configuration file. |
 | tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
 | tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |
--- a/javascript/ql/test/query-tests/Security/CWE-313/mysql-config.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/mysql-config.json
@@ -1,6 +1,6 @@
 {
  "host"     : "localhost",
  "user"     : "me",
-  "password" : "secret",
+  "password" : "abcdefgh",
  "database" : "my_db"
-}
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst.yml
@@ -4,3 +4,4 @@ steps:
    OTHER_PASSWORD=`get password` yarn install
 username: <%= ENV['USERNAME'] %>
 password: <%= ENV['PASSWORD'] %>
+password: change_me
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -1,107 +1,112 @@
 nodes
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
-| HardcodedCredentials.js:8:19:8:34 | 'secretpassword' |
-| HardcodedCredentials.js:15:36:15:50 | "user:password" |
-| HardcodedCredentials.js:16:37:16:51 | "user:password" |
-| HardcodedCredentials.js:18:16:18:30 | "user:password" |
+| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
+| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" |
+| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" |
+| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" |
 | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
 | HardcodedCredentials.js:27:25:27:31 | 'admin' |
-| HardcodedCredentials.js:27:34:27:46 | 'supersecret' |
+| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' |
-| HardcodedCredentials.js:29:35:29:47 | 'supersecret' |
+| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' |
 | HardcodedCredentials.js:35:15:35:24 | 'username' |
-| HardcodedCredentials.js:35:27:35:36 | 'password' |
+| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' |
 | HardcodedCredentials.js:41:38:41:47 | 'username' |
-| HardcodedCredentials.js:41:67:41:76 | 'password' |
+| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' |
 | HardcodedCredentials.js:42:35:42:44 | 'username' |
-| HardcodedCredentials.js:42:64:42:73 | 'password' |
+| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' |
 | HardcodedCredentials.js:44:34:44:43 | 'username' |
-| HardcodedCredentials.js:44:63:44:72 | 'password' |
-| HardcodedCredentials.js:46:25:46:34 | 'password' |
+| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' |
+| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' |
 | HardcodedCredentials.js:53:27:53:36 | 'username' |
-| HardcodedCredentials.js:53:39:53:48 | 'password' |
+| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' |
 | HardcodedCredentials.js:56:21:56:30 | 'username' |
-| HardcodedCredentials.js:57:21:57:30 | 'password' |
+| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' |
 | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' |
 | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' |
 | HardcodedCredentials.js:69:28:69:37 | 'username' |
-| HardcodedCredentials.js:69:40:69:49 | 'password' |
+| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' |
 | HardcodedCredentials.js:70:28:70:37 | 'username' |
-| HardcodedCredentials.js:70:40:70:49 | 'password' |
+| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' |
 | HardcodedCredentials.js:72:23:72:32 | 'username' |
-| HardcodedCredentials.js:72:35:72:44 | 'password' |
+| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' |
 | HardcodedCredentials.js:75:21:75:30 | 'username' |
-| HardcodedCredentials.js:76:21:76:30 | 'password' |
+| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' |
 | HardcodedCredentials.js:84:38:84:47 | 'username' |
-| HardcodedCredentials.js:84:50:84:59 | 'password' |
+| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' |
 | HardcodedCredentials.js:86:44:86:53 | 'username' |
-| HardcodedCredentials.js:86:56:86:65 | 'password' |
+| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' |
 | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' |
 | HardcodedCredentials.js:98:18:98:21 | 'x1' |
 | HardcodedCredentials.js:99:16:99:19 | 'x2' |
 | HardcodedCredentials.js:100:25:100:28 | 'x3' |
 | HardcodedCredentials.js:101:19:101:22 | 'x4' |
-| HardcodedCredentials.js:102:14:102:17 | 'y1' |
-| HardcodedCredentials.js:103:17:103:20 | 'y2' |
-| HardcodedCredentials.js:104:27:104:30 | 'y3' |
-| HardcodedCredentials.js:105:19:105:22 | 'y4' |
-| HardcodedCredentials.js:106:16:106:19 | 'z1' |
+| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' |
+| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' |
+| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' |
+| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' |
+| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' |
 | HardcodedCredentials.js:112:19:112:22 | 'x5' |
-| HardcodedCredentials.js:113:19:113:22 | 'y5' |
-| HardcodedCredentials.js:130:44:130:58 | 'crypto secret' |
-| HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' |
-| HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" |
+| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' |
+| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' |
+| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' |
+| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" |
+| HardcodedCredentials.js:160:38:160:48 | "change_me" |
+| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
+| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
 edges
-| HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
+| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
-| HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | The hard-coded value "secretpassword" is used as $@. | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | password |
-| HardcodedCredentials.js:15:36:15:50 | "user:password" | HardcodedCredentials.js:15:36:15:50 | "user:password" | HardcodedCredentials.js:15:36:15:50 | "user:password" | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:password" | credentials |
-| HardcodedCredentials.js:16:37:16:51 | "user:password" | HardcodedCredentials.js:16:37:16:51 | "user:password" | HardcodedCredentials.js:16:37:16:51 | "user:password" | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:password" | credentials |
-| HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
+| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
+| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | credentials |
+| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | credentials |
+| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
 | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | The hard-coded value "admin" is used as $@. | HardcodedCredentials.js:27:25:27:31 | 'admin' | user name |
-| HardcodedCredentials.js:27:34:27:46 | 'supersecret' | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | The hard-coded value "supersecret" is used as $@. | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | password |
+| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | password |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | The hard-coded value "unknown-admin-name" is used as $@. | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | user name |
-| HardcodedCredentials.js:29:35:29:47 | 'supersecret' | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | The hard-coded value "supersecret" is used as $@. | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | password |
+| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | password |
 | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:35:15:35:24 | 'username' | user name |
-| HardcodedCredentials.js:35:27:35:36 | 'password' | HardcodedCredentials.js:35:27:35:36 | 'password' | HardcodedCredentials.js:35:27:35:36 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:35:27:35:36 | 'password' | password |
+| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | password |
 | HardcodedCredentials.js:41:38:41:47 | 'username' | HardcodedCredentials.js:41:38:41:47 | 'username' | HardcodedCredentials.js:41:38:41:47 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:41:38:41:47 | 'username' | user name |
-| HardcodedCredentials.js:41:67:41:76 | 'password' | HardcodedCredentials.js:41:67:41:76 | 'password' | HardcodedCredentials.js:41:67:41:76 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:41:67:41:76 | 'password' | password |
+| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | password |
 | HardcodedCredentials.js:42:35:42:44 | 'username' | HardcodedCredentials.js:42:35:42:44 | 'username' | HardcodedCredentials.js:42:35:42:44 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:42:35:42:44 | 'username' | user name |
-| HardcodedCredentials.js:42:64:42:73 | 'password' | HardcodedCredentials.js:42:64:42:73 | 'password' | HardcodedCredentials.js:42:64:42:73 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:42:64:42:73 | 'password' | password |
+| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | password |
 | HardcodedCredentials.js:44:34:44:43 | 'username' | HardcodedCredentials.js:44:34:44:43 | 'username' | HardcodedCredentials.js:44:34:44:43 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:44:34:44:43 | 'username' | user name |
-| HardcodedCredentials.js:44:63:44:72 | 'password' | HardcodedCredentials.js:44:63:44:72 | 'password' | HardcodedCredentials.js:44:63:44:72 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:44:63:44:72 | 'password' | password |
-| HardcodedCredentials.js:46:25:46:34 | 'password' | HardcodedCredentials.js:46:25:46:34 | 'password' | HardcodedCredentials.js:46:25:46:34 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:46:25:46:34 | 'password' | password |
+| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | password |
+| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | password |
 | HardcodedCredentials.js:53:27:53:36 | 'username' | HardcodedCredentials.js:53:27:53:36 | 'username' | HardcodedCredentials.js:53:27:53:36 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:53:27:53:36 | 'username' | user name |
-| HardcodedCredentials.js:53:39:53:48 | 'password' | HardcodedCredentials.js:53:39:53:48 | 'password' | HardcodedCredentials.js:53:39:53:48 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:53:39:53:48 | 'password' | password |
+| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | password |
 | HardcodedCredentials.js:56:21:56:30 | 'username' | HardcodedCredentials.js:56:21:56:30 | 'username' | HardcodedCredentials.js:56:21:56:30 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:56:21:56:30 | 'username' | user name |
-| HardcodedCredentials.js:57:21:57:30 | 'password' | HardcodedCredentials.js:57:21:57:30 | 'password' | HardcodedCredentials.js:57:21:57:30 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:57:21:57:30 | 'password' | password |
+| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | password |
 | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | The hard-coded value "bearerToken" is used as $@. | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | token |
 | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | The hard-coded value "bearerToken" is used as $@. | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | token |
 | HardcodedCredentials.js:69:28:69:37 | 'username' | HardcodedCredentials.js:69:28:69:37 | 'username' | HardcodedCredentials.js:69:28:69:37 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:69:28:69:37 | 'username' | user name |
-| HardcodedCredentials.js:69:40:69:49 | 'password' | HardcodedCredentials.js:69:40:69:49 | 'password' | HardcodedCredentials.js:69:40:69:49 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:69:40:69:49 | 'password' | password |
+| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | password |
 | HardcodedCredentials.js:70:28:70:37 | 'username' | HardcodedCredentials.js:70:28:70:37 | 'username' | HardcodedCredentials.js:70:28:70:37 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:70:28:70:37 | 'username' | user name |
-| HardcodedCredentials.js:70:40:70:49 | 'password' | HardcodedCredentials.js:70:40:70:49 | 'password' | HardcodedCredentials.js:70:40:70:49 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:70:40:70:49 | 'password' | password |
+| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | password |
 | HardcodedCredentials.js:72:23:72:32 | 'username' | HardcodedCredentials.js:72:23:72:32 | 'username' | HardcodedCredentials.js:72:23:72:32 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:72:23:72:32 | 'username' | user name |
-| HardcodedCredentials.js:72:35:72:44 | 'password' | HardcodedCredentials.js:72:35:72:44 | 'password' | HardcodedCredentials.js:72:35:72:44 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:72:35:72:44 | 'password' | password |
+| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | password |
 | HardcodedCredentials.js:75:21:75:30 | 'username' | HardcodedCredentials.js:75:21:75:30 | 'username' | HardcodedCredentials.js:75:21:75:30 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:75:21:75:30 | 'username' | user name |
-| HardcodedCredentials.js:76:21:76:30 | 'password' | HardcodedCredentials.js:76:21:76:30 | 'password' | HardcodedCredentials.js:76:21:76:30 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:76:21:76:30 | 'password' | password |
+| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | password |
 | HardcodedCredentials.js:84:38:84:47 | 'username' | HardcodedCredentials.js:84:38:84:47 | 'username' | HardcodedCredentials.js:84:38:84:47 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:84:38:84:47 | 'username' | user name |
-| HardcodedCredentials.js:84:50:84:59 | 'password' | HardcodedCredentials.js:84:50:84:59 | 'password' | HardcodedCredentials.js:84:50:84:59 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:84:50:84:59 | 'password' | password |
+| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | password |
 | HardcodedCredentials.js:86:44:86:53 | 'username' | HardcodedCredentials.js:86:44:86:53 | 'username' | HardcodedCredentials.js:86:44:86:53 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:86:44:86:53 | 'username' | user name |
-| HardcodedCredentials.js:86:56:86:65 | 'password' | HardcodedCredentials.js:86:56:86:65 | 'password' | HardcodedCredentials.js:86:56:86:65 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:86:56:86:65 | 'password' | password |
+| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | password |
 | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | The hard-coded value "TOKEN" is used as $@. | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | token |
 | HardcodedCredentials.js:98:18:98:21 | 'x1' | HardcodedCredentials.js:98:18:98:21 | 'x1' | HardcodedCredentials.js:98:18:98:21 | 'x1' | The hard-coded value "x1" is used as $@. | HardcodedCredentials.js:98:18:98:21 | 'x1' | user name |
 | HardcodedCredentials.js:99:16:99:19 | 'x2' | HardcodedCredentials.js:99:16:99:19 | 'x2' | HardcodedCredentials.js:99:16:99:19 | 'x2' | The hard-coded value "x2" is used as $@. | HardcodedCredentials.js:99:16:99:19 | 'x2' | user name |
 | HardcodedCredentials.js:100:25:100:28 | 'x3' | HardcodedCredentials.js:100:25:100:28 | 'x3' | HardcodedCredentials.js:100:25:100:28 | 'x3' | The hard-coded value "x3" is used as $@. | HardcodedCredentials.js:100:25:100:28 | 'x3' | user name |
 | HardcodedCredentials.js:101:19:101:22 | 'x4' | HardcodedCredentials.js:101:19:101:22 | 'x4' | HardcodedCredentials.js:101:19:101:22 | 'x4' | The hard-coded value "x4" is used as $@. | HardcodedCredentials.js:101:19:101:22 | 'x4' | user name |
-| HardcodedCredentials.js:102:14:102:17 | 'y1' | HardcodedCredentials.js:102:14:102:17 | 'y1' | HardcodedCredentials.js:102:14:102:17 | 'y1' | The hard-coded value "y1" is used as $@. | HardcodedCredentials.js:102:14:102:17 | 'y1' | password |
-| HardcodedCredentials.js:103:17:103:20 | 'y2' | HardcodedCredentials.js:103:17:103:20 | 'y2' | HardcodedCredentials.js:103:17:103:20 | 'y2' | The hard-coded value "y2" is used as $@. | HardcodedCredentials.js:103:17:103:20 | 'y2' | password |
-| HardcodedCredentials.js:104:27:104:30 | 'y3' | HardcodedCredentials.js:104:27:104:30 | 'y3' | HardcodedCredentials.js:104:27:104:30 | 'y3' | The hard-coded value "y3" is used as $@. | HardcodedCredentials.js:104:27:104:30 | 'y3' | password |
-| HardcodedCredentials.js:105:19:105:22 | 'y4' | HardcodedCredentials.js:105:19:105:22 | 'y4' | HardcodedCredentials.js:105:19:105:22 | 'y4' | The hard-coded value "y4" is used as $@. | HardcodedCredentials.js:105:19:105:22 | 'y4' | password |
-| HardcodedCredentials.js:106:16:106:19 | 'z1' | HardcodedCredentials.js:106:16:106:19 | 'z1' | HardcodedCredentials.js:106:16:106:19 | 'z1' | The hard-coded value "z1" is used as $@. | HardcodedCredentials.js:106:16:106:19 | 'z1' | token |
+| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | password |
+| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | password |
+| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | password |
+| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | password |
+| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | token |
 | HardcodedCredentials.js:112:19:112:22 | 'x5' | HardcodedCredentials.js:112:19:112:22 | 'x5' | HardcodedCredentials.js:112:19:112:22 | 'x5' | The hard-coded value "x5" is used as $@. | HardcodedCredentials.js:112:19:112:22 | 'x5' | user name |
-| HardcodedCredentials.js:113:19:113:22 | 'y5' | HardcodedCredentials.js:113:19:113:22 | 'y5' | HardcodedCredentials.js:113:19:113:22 | 'y5' | The hard-coded value "y5" is used as $@. | HardcodedCredentials.js:113:19:113:22 | 'y5' | password |
-| HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | The hard-coded value "crypto secret" is used as $@. | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | key |
-| HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | The hard-coded value "crypto-js/aes secret" is used as $@. | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | key |
-| HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | The hard-coded value "cookie-session secret" is used as $@. | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | key |
+| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | password |
+| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | key |
+| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | key |
+| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
+| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
+| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -5,17 +5,17 @@
        user: 'dbuser',
        host: 'database.server.com',
        database: 'mydb',
-        password: 'secretpassword',
+        password: 'abcdefgh',
        port: 3211,
    }); // NOT OK
    client.connect();
 })();

 (function() {
-    require("http").request({auth: "user:password"});  // NOT OK
-    require("https").request({auth: "user:password"}); // NOT OK
+    require("http").request({auth: "user:abcdefgh"});  // NOT OK
+    require("https").request({auth: "user:abcdefgh"}); // NOT OK
    function getCredentials() {
-        return "user:password";
+        return "user:abcdefgh";
    }
    require("http").request({auth: getCredentials()}); // NOT OK
    require("http").request({auth: getUnknownCredentials()}); // OK
@@ -24,37 +24,37 @@
 (function() {
    var basicAuth = require('express-basic-auth');

-    basicAuth({users: { 'admin': 'supersecret' }});  // NOT OK
+    basicAuth({users: { 'admin': 'abcdefgh' }});  // NOT OK
    var users = {};
-    users['unknown-admin-name'] = 'supersecret';
+    users['unknown-admin-name'] = 'abcdefgh';
    basicAuth({users: users})  // NOT OK
 })();

 (function() {
    var basicAuth = require('basic-auth-connect');
-    basicAuth('username', 'password'); // NOT OK
+    basicAuth('username', 'abcdefgh'); // NOT OK
    basicAuth(function(){}); // OK
 })();

 (function() {
    var AWS = require('aws-sdk');
-    AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
-    new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
+    AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
+    new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
    var config = new AWS.Config();
-    config.update({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
+    config.update({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
    var o = {};
-    o.secretAccessKey = 'password';
+    o.secretAccessKey = 'abcdefgh';
    config.update(o); // NOT OK
 })();

 (function() {
    var request = require('request');

-    request.get(url).auth('username', 'password'); // NOT OK
+    request.get(url).auth('username', 'abcdefgh'); // NOT OK
    request.get(url, { // NOT OK
        'auth': {
            'user': 'username',
-            'pass': 'password'
+            'pass': 'abcdefgh'
        }
    });

@@ -66,14 +66,14 @@
        }
    });

-    request.post(url).auth('username', 'password'); // NOT OK
-    request.head(url).auth('username', 'password'); // NOT OK
+    request.post(url).auth('username', 'abcdefgh'); // NOT OK
+    request.head(url).auth('username', 'abcdefgh'); // NOT OK

-    request(url).auth('username', 'password'); // NOT OK
+    request(url).auth('username', 'abcdefgh'); // NOT OK
    request(url, { // NOT OK
        'auth': {
            'user': 'username',
-            'pass': 'password'
+            'pass': 'abcdefgh'
        }
    });
 })();
@@ -81,9 +81,9 @@
 (function() {
    const MsRest = require('ms-rest-azure');

-    MsRest.loginWithUsernamePassword('username', 'password', function(){}); // NOT OK
+    MsRest.loginWithUsernamePassword('username', 'abcdefgh', function(){}); // NOT OK
    MsRest.loginWithUsernamePassword(process.env.AZURE_USER, process.env.AZURE_PASS, function(){}); // OK
-    MsRest.loginWithServicePrincipalSecret('username', 'password', function(){}); // NOT OK
+    MsRest.loginWithServicePrincipalSecret('username', 'abcdefgh', function(){}); // NOT OK
 })();

 (function() {
@@ -99,26 +99,26 @@
        keyId: 'x2',
        storageAccount: 'x3',
        username: 'x4',
-        key: 'y1',
-        apiKey: 'y2',
-        storageAccessKey: 'y3',
-        password: 'y4',
-        token: 'z1'
+        key: 'abcdefgh',
+        apiKey: 'abcdefgh',
+        storageAccessKey: 'abcdefgh',
+        password: 'abcdefgh',
+        token: 'abcdefgh'
    });
    pkgcloud.compute.createClient({ // OK
        INNOCENT_DATA: '42'
    });
    pkgcloud.providers.SOME_PROVIDER.compute.createClient({  // NOT OK
        username: 'x5',
-        password: 'y5'
+        password: 'abcdefgh'
    });
    pkgcloud.UNKNOWN_SERVICE.createClient({  // OK
        username: 'x6',
-        password: 'y6'
+        password: 'abcdefgh'
    });
    pkgcloud.providers.SOME_PROVIDER.UNKNOWN_SERVICE.createClient({  // OK
        username: 'x7',
-        password: 'y7'
+        password: 'abcdefgh'
    });
    pkgcloud.compute.createClient({ // OK
        username: process.env.USERNAME,
@@ -127,12 +127,12 @@
 })();

 (function(){
-    require('crypto').createHmac('sha256', 'crypto secret');
-    require("crypto-js/aes").encrypt('my message', 'crypto-js/aes secret');
+    require('crypto').createHmac('sha256', 'abcdefgh');
+    require("crypto-js/aes").encrypt('my message', 'abcdefgh');
 })()

 (function(){
-    require("cookie-session")({ secret: "cookie-session secret" });
+    require("cookie-session")({ secret: "abcdefgh" });
 })()

 (function(){
@@ -155,3 +155,11 @@
        }
    });
 })();
+
+(function(){
+	require("cookie-session")({ secret: "change_me" }); // NOT OK
+	require('crypto').createHmac('sha256', 'change_me'); // NOT OK
+
+	var basicAuth = require('express-basic-auth');
+	basicAuth({users: { [adminName]: 'change_me' }});  // OK
+})();
--- a/javascript/ql/test/tutorials/Validating
+++ b/javascript/ql/test/tutorials/Validating
@@ -50,7 +50,7 @@ class OspreyMethodDefinition extends MethodCallExpr {
  string getVerb() { result = getMethodName() }

  /** Get the resource path to which this method belongs. */
-  string getResourcePath() { result = getArgument(0).(ConstantString).getStringValue() }
+  string getResourcePath() { result = getArgument(0).getStringValue() }
 }

 /** A callback function bound to a REST method. */