JS: Add test

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected

@@ -0,0 +1 @@
+| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:402 | did not expect an alert, but found an alert for TaintedPath | OK |  |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -2129,6 +2129,9 @@ nodes
 | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:402:21:402:24 | path |
+| normalizedPaths.js:402:21:402:24 | path |
+| normalizedPaths.js:402:21:402:24 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
@@ -7019,6 +7022,10 @@ edges
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:402:21:402:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:402:21:402:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:402:21:402:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:402:21:402:24 | path |
 | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | normalizedPaths.js:385:7:385:46 | path |
 | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | normalizedPaths.js:385:7:385:46 | path |
 | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
@@ -9699,6 +9706,7 @@ edges
 | normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
 | normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
+| normalizedPaths.js:402:21:402:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:402:21:402:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
 | other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

@@ -398,4 +398,7 @@ app.get('/dotdot-regexp', (req, res) => {
   if (!path.match(/\.\.\/foo/)) {
     fs.readFileSync(path); // NOT OK
   }
+  if (!path.match(/(\.\.\/|\.\.\\)/)) {
+    fs.readFileSync(path); // OK
+  }
 });