hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add taint through the normalize-url library

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-07-14 17:15:14 +02:00
parent 86de10e6a1
commit bec1818fc7
4 changed files with 303 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/change-notes/2021-07-14-querystring.md
View File

@@ -1,4 +1,5 @@
lgtm,codescanning
* The security queries now track taint through more query string parsers.
Affected packages are
[qs](https://npmjs.com/package/qs)
[qs](https://npmjs.com/package/qs),
[normailize-url](https://npmjs.com/package/normalize-url)

12
javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll
View File

@@ -279,6 +279,18 @@ private class QsStep extends TaintTracking::SharedTaintStep {
}
}
/**
* A taint step through a call to [normalize-url](https://npmjs.com/package/normalize-url)
*/
private class NormalizeUrlStep extends TaintTracking::SharedTaintStep {
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode call | call = API::moduleImport("normalize-url").getACall() |
pred = call.getArgument(0) and
succ = call
)
}
}
/**
* Provides steps for the `goog.Uri` class in the closure library.
*/

389
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
View File

@@ -1285,44 +1285,98 @@ nodes
| TaintedPath.js:195:50:195:53 | path |
| TaintedPath.js:195:50:195:53 | path |
| TaintedPath.js:195:50:195:53 | path |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:38:201:44 | req.url |
| TaintedPath.js:201:38:201:44 | req.url |
| TaintedPath.js:201:38:201:44 | req.url |
| TaintedPath.js:201:38:201:44 | req.url |
| TaintedPath.js:201:38:201:44 | req.url |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:38:203:44 | req.url |
| TaintedPath.js:203:38:203:44 | req.url |
| TaintedPath.js:203:38:203:44 | req.url |
| TaintedPath.js:203:38:203:44 | req.url |
| TaintedPath.js:203:38:203:44 | req.url |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url |
| TaintedPath.js:204:51:204:57 | req.url |
| TaintedPath.js:204:51:204:57 | req.url |
| TaintedPath.js:204:51:204:57 | req.url |
| TaintedPath.js:204:51:204:57 | req.url |
| normalizedPaths.js:11:7:11:27 | path |
| normalizedPaths.js:11:7:11:27 | path |
| normalizedPaths.js:11:7:11:27 | path |
@@ -5544,70 +5598,198 @@ edges
| TaintedPath.js:195:50:195:53 | path | TaintedPath.js:195:29:195:54 | pathMod ... e(path) |
| TaintedPath.js:195:50:195:53 | path | TaintedPath.js:195:29:195:54 | pathMod ... e(path) |
| TaintedPath.js:195:50:195:53 | path | TaintedPath.js:195:29:195:54 | pathMod ... e(path) |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:29:201:45 | qs.parse(req.url) | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:45 | qs.parse(req.url) |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:29:203:45 | qs.parse(req.url) | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:45 | qs.parse(req.url) |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:38:204:58 | normali ... eq.url) | TaintedPath.js:204:29:204:59 | qs.pars ... q.url)) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:38:204:58 | normali ... eq.url) |
| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
@@ -8729,7 +8911,8 @@ edges
| TaintedPath.js:179:29:179:57 | path.re ... /g, '') | TaintedPath.js:166:24:166:30 | req.url | TaintedPath.js:179:29:179:57 | path.re ... /g, '') | This path depends on $@. | TaintedPath.js:166:24:166:30 | req.url | a user-provided value |
| TaintedPath.js:194:29:194:73 | "prefix ... +/, '') | TaintedPath.js:166:24:166:30 | req.url | TaintedPath.js:194:29:194:73 | "prefix ... +/, '') | This path depends on $@. | TaintedPath.js:166:24:166:30 | req.url | a user-provided value |
| TaintedPath.js:195:29:195:84 | pathMod ... +/, '') | TaintedPath.js:166:24:166:30 | req.url | TaintedPath.js:195:29:195:84 | pathMod ... +/, '') | This path depends on $@. | TaintedPath.js:166:24:166:30 | req.url | a user-provided value |
| TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo | TaintedPath.js:201:38:201:44 | req.url | TaintedPath.js:201:29:201:49 | qs.pars ... rl).foo | This path depends on $@. | TaintedPath.js:201:38:201:44 | req.url | a user-provided value |
| TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo | TaintedPath.js:203:38:203:44 | req.url | TaintedPath.js:203:29:203:49 | qs.pars ... rl).foo | This path depends on $@. | TaintedPath.js:203:38:203:44 | req.url | a user-provided value |
| TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo | TaintedPath.js:204:51:204:57 | req.url | TaintedPath.js:204:29:204:63 | qs.pars ... l)).foo | This path depends on $@. | TaintedPath.js:204:51:204:57 | req.url | a user-provided value |
| normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
| normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
| normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |

3
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
View File

@@ -195,8 +195,11 @@ var server = http.createServer(function(req, res) {
res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // NOT OK (can be absolute)
});
import normalizeUrl from 'normalize-url';
var server = http.createServer(function(req, res) {
// tests for a few more uri-libraries
const qs = require("qs");
res.write(fs.readFileSync(qs.parse(req.url).foo)); // NOT OK
res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // NOT OK
});