add test for js/template-object-injection

javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected

@@ -0,0 +1,37 @@
+nodes
+| tst.js:5:9:5:46 | bodyParameter |
+| tst.js:5:25:5:32 | req.body |
+| tst.js:5:25:5:32 | req.body |
+| tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
+| tst.js:8:28:8:40 | bodyParameter |
+| tst.js:8:28:8:40 | bodyParameter |
+| tst.js:9:28:9:41 | queryParameter |
+| tst.js:9:28:9:41 | queryParameter |
+| tst.js:12:32:12:44 | bodyParameter |
+| tst.js:12:32:12:44 | bodyParameter |
+| tst.js:14:28:14:41 | queryParameter |
+| tst.js:14:28:14:46 | queryParameter + "" |
+| tst.js:14:28:14:46 | queryParameter + "" |
+edges
+| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
+| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
+| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
+| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
+| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:5:25:5:46 | req.bod ... rameter | tst.js:5:9:5:46 | bodyParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:14:28:14:41 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
+| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
+#select
+| tst.js:8:28:8:40 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:8:28:8:40 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
+| tst.js:9:28:9:41 | queryParameter | tst.js:6:26:6:49 | req.que ... rameter | tst.js:9:28:9:41 | queryParameter | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
+| tst.js:12:32:12:44 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:12:32:12:44 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
+| tst.js:14:28:14:46 | queryParameter + "" | tst.js:6:26:6:49 | req.que ... rameter | tst.js:14:28:14:46 | queryParameter + "" | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |

javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-073/TemplateObjectInjection.ql

javascript/ql/test/experimental/Security/CWE-073/tst.js

@@ -0,0 +1,17 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter;
+    var queryParameter = req.query.queryParameter;
+
+    res.render('template', bodyParameter); // NOT OK
+    res.render('template', queryParameter); // NOT OK
+
+    if (typeof bodyParameter === "string") {
+        res.render('template', bodyParameter); // OK - but still flagged [INCONSISTENCY]
+    }
+    res.render('template', queryParameter + ""); // OK - but still flagged [INCONSISTENCY]
+
+    res.render('template', {profile: bodyParameter}); // OK
+});