Merge branch 'main' into aegilops/js/insecure-helmet-middleware

2026-04-24 08:15:14 +02:00 · 2024-07-08 11:25:47 +01:00
parent c003f265b0 31a5a7aebc
commit d896fdf9fa
723 changed files with 21159 additions and 5922 deletions
--- a/javascript/extractor/lib/typescript/package-lock.json
+++ b/javascript/extractor/lib/typescript/package-lock.json
@@ -6,7 +6,7 @@
        "": {
            "name": "typescript-parser-wrapper",
            "dependencies": {
-                "typescript": "5.4.2"
+                "typescript": "5.5.2"
            },
            "devDependencies": {
                "@types/node": "18.15.3"
@@ -20,9 +20,10 @@
            "license": "MIT"
        },
        "node_modules/typescript": {
-            "version": "5.4.2",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.2.tgz",
-            "integrity": "sha512-+2/g0Fds1ERlP6JsakQQDXjZdZMM+rqpamFZJEKh4kwTIn3iDkgKtby0CeNd5ATNZ4Ry1ax15TMx0W2V+miizQ==",
+            "version": "5.5.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.5.2.tgz",
+            "integrity": "sha512-NcRtPEOsPFFWjobJEtfihkLCZCXZt/os3zf8nTxjVH3RvTSxjrCamJpbExGvYOF+tFHc3pA65qpdwPbzjohhew==",
+            "license": "Apache-2.0",
            "bin": {
                "tsc": "bin/tsc",
                "tsserver": "bin/tsserver"
--- a/javascript/extractor/lib/typescript/package.json
+++ b/javascript/extractor/lib/typescript/package.json
@@ -2,7 +2,7 @@
    "name": "typescript-parser-wrapper",
    "private": true,
    "dependencies": {
-        "typescript": "5.4.2"
+        "typescript": "5.5.2"
    },
    "scripts": {
        "build": "tsc --project tsconfig.json",
@@ -14,4 +14,4 @@
    "devDependencies": {
        "@types/node": "18.15.3"
    }
-}
+}
--- a/javascript/extractor/src/com/semmle/jcorn/Identifiers.java
+++ b/javascript/extractor/src/com/semmle/jcorn/Identifiers.java
@@ -115,7 +115,7 @@ public class Identifiers {
  // rare.
  private static boolean isInAstralSet(int code, int[] set) {
    int pos = 0x10000;
-    for (int i = 0; i < set.length; i += 2) {
+    for (int i = 0; i < set.length - 1; i += 2) {
      pos += set[i];
      if (pos > code) return false;
      pos += set[i + 1];
--- a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
@@ -151,7 +151,7 @@ import com.semmle.util.trap.TrapWriter;
 *
 * <ul>
 *   <li>All JavaScript files, that is, files with one of the extensions supported by {@link
- *       FileType#JS} (currently ".js", ".jsx", ".mjs", ".cjs", ".es6", ".es").
+ *       FileType#JS} (currently ".js", ".jsx", ".mjs", ".cjs", ".es6", ".es", ".xsjs", ".xsjslib").
 *   <li>All HTML files, that is, files with with one of the extensions supported by {@link
 *       FileType#HTML} (currently ".htm", ".html", ".xhtm", ".xhtml", ".vue", ".html.erb", ".html.dot", ".jsp").
 *   <li>All YAML files, that is, files with one of the extensions supported by {@link
--- a/javascript/extractor/src/com/semmle/js/extractor/FileExtractor.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/FileExtractor.java
@@ -135,7 +135,7 @@ public class FileExtractor {
      }
    },

-    JS(".js", ".jsx", ".mjs", ".cjs", ".es6", ".es") {
+    JS(".js", ".jsx", ".mjs", ".cjs", ".es6", ".es", ".xsjs", ".xsjslib") {
      @Override
      public IExtractor mkExtractor(ExtractorConfig config, ExtractorState state) {
        return new ScriptExtractor(config, state);
--- a/javascript/extractor/src/com/semmle/js/extractor/Main.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java
@@ -527,7 +527,6 @@ public class Main {
      // extract files that are supported, match the layout (if any), pass the includeMatcher,
      // and do not pass the excludeMatcher
      if (fileExtractor.supports(root)
-          && extractorOutputConfig.shouldExtract(root)
          && (explicit || includeMatcher.matches(path) && !excludeMatcher.matches(path))) {
        files.add(normalizeFile(root));
      }
--- a/javascript/extractor/test/com/semmle/js/extractor/test/AutoBuildTests.java
+++ b/javascript/extractor/test/com/semmle/js/extractor/test/AutoBuildTests.java
@@ -178,6 +178,8 @@ public class AutoBuildTests {
    addFile(true, LGTM_SRC, "tst.js");
    addFile(true, LGTM_SRC, "tst.ts");
    addFile(true, LGTM_SRC, "tst.html");
+    addFile(true, LGTM_SRC, "tst.xsjs");
+    addFile(true, LGTM_SRC, "tst.xsjslib");
    addFile(false, LGTM_SRC, "tst.json");
    addFile(true, LGTM_SRC, "package.json");
    addFile(true, LGTM_SRC, ".eslintrc.yml");
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.2
+
+No user-facing changes.
+
 ## 1.0.1

 No user-facing changes.
--- a/javascript/ql/lib/change-notes/2024-04-26-typescript-5-5.md
+++ b/javascript/ql/lib/change-notes/2024-04-26-typescript-5-5.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for TypeScript 5.5.
--- a/javascript/ql/lib/change-notes/2024-06-14-type-tracking-array-steps.md
+++ b/javascript/ql/lib/change-notes/2024-06-14-type-tracking-array-steps.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Enabled type-tracking to follow content through array methods
+* Improved modeling of `Array.prototype.splice` for when it is called with more than two arguments
--- a/javascript/ql/lib/change-notes/released/1.0.2.md
+++ b/javascript/ql/lib/change-notes/released/1.0.2.md
@@ -0,0 +1,3 @@
+## 1.0.2
+
+No user-facing changes.
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.1
+lastReleaseVersion: 1.0.2
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 1.0.2-dev
+version: 1.0.3-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/lib/semmle/javascript/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -77,8 +77,12 @@ module ArrayTaintTracking {
    succ = call.getReceiver().getALocalSource() and
    call.getCalleeName() = ["push", "unshift"]
    or
-    // `array.splice(i, del, e)`: if `e` is tainted, then so is `array`.
-    pred = call.getArgument(2) and
+    // `array.splice(i, del, e1, e2, ...)`: if any item is tainted, then so is `array`.
+    pred = call.getArgument(any(int i | i >= 2)) and
+    succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
+    or
+    // `array.splice(i, del, ...e)`: if `e` is tainted, then so is `array`.
+    pred = call.getASpreadArgument() and
    succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
    or
    // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
@@ -115,9 +119,9 @@ private module ArrayDataFlow {
   * A step modeling the creation of an Array using the `Array.from(x)` method.
   * The step copies the elements of the argument (set, array, or iterator elements) into the resulting array.
   */
-  private class ArrayFrom extends DataFlow::SharedFlowStep {
+  private class ArrayFrom extends PreCallGraphStep {
    override predicate loadStoreStep(
-      DataFlow::Node pred, DataFlow::Node succ, string fromProp, string toProp
+      DataFlow::Node pred, DataFlow::SourceNode succ, string fromProp, string toProp
    ) {
      exists(DataFlow::CallNode call |
        call = arrayFromCall() and
@@ -135,9 +139,9 @@ private module ArrayDataFlow {
   *
   * Such a step can occur both with the `push` and `unshift` methods, or when creating a new array.
   */
-  private class ArrayCopySpread extends DataFlow::SharedFlowStep {
+  private class ArrayCopySpread extends PreCallGraphStep {
    override predicate loadStoreStep(
-      DataFlow::Node pred, DataFlow::Node succ, string fromProp, string toProp
+      DataFlow::Node pred, DataFlow::SourceNode succ, string fromProp, string toProp
    ) {
      fromProp = arrayLikeElement() and
      toProp = arrayElement() and
@@ -156,7 +160,7 @@ private module ArrayDataFlow {
  /**
   * A step for storing an element on an array using `arr.push(e)` or `arr.unshift(e)`.
   */
-  private class ArrayAppendStep extends DataFlow::SharedFlowStep {
+  private class ArrayAppendStep extends PreCallGraphStep {
    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      exists(DataFlow::MethodCallNode call |
@@ -187,7 +191,7 @@ private module ArrayDataFlow {
   * A step for reading/writing an element from an array inside a for-loop.
   * E.g. a read from `foo[i]` to `bar` in `for(var i = 0; i < arr.length; i++) {bar = foo[i]}`.
   */
-  private class ArrayIndexingStep extends DataFlow::SharedFlowStep {
+  private class ArrayIndexingStep extends PreCallGraphStep {
    override predicate loadStep(DataFlow::Node obj, DataFlow::Node element, string prop) {
      exists(ArrayIndexingAccess access |
        prop = arrayElement() and
@@ -209,7 +213,7 @@ private module ArrayDataFlow {
   * A step for retrieving an element from an array using `.pop()`, `.shift()`, or `.at()`.
   * E.g. `array.pop()`.
   */
-  private class ArrayPopStep extends DataFlow::SharedFlowStep {
+  private class ArrayPopStep extends PreCallGraphStep {
    override predicate loadStep(DataFlow::Node obj, DataFlow::Node element, string prop) {
      exists(DataFlow::MethodCallNode call |
        call.getMethodName() = ["pop", "shift", "at"] and
@@ -274,25 +278,38 @@ private module ArrayDataFlow {

  /**
   * A step modeling that `splice` can insert elements into an array.
-   * For example in `array.splice(i, del, e)`: if `e` is tainted, then so is `array
+   * For example in `array.splice(i, del, e1, e2, ...)`: if any item is tainted, then so is `array`
   */
-  private class ArraySpliceStep extends DataFlow::SharedFlowStep {
+  private class ArraySpliceStep extends PreCallGraphStep {
    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      exists(DataFlow::MethodCallNode call |
        call.getMethodName() = "splice" and
        prop = arrayElement() and
-        element = call.getArgument(2) and
+        element = call.getArgument(any(int i | i >= 2)) and
        call = obj.getAMethodCall()
      )
    }
+
+    override predicate loadStoreStep(
+      DataFlow::Node pred, DataFlow::SourceNode succ, string fromProp, string toProp
+    ) {
+      fromProp = arrayLikeElement() and
+      toProp = arrayElement() and
+      // `array.splice(i, del, ...arr)` variant
+      exists(DataFlow::MethodCallNode mcn |
+        mcn.getMethodName() = "splice" and
+        pred = mcn.getASpreadArgument() and
+        succ = mcn.getReceiver().getALocalSource()
+      )
+    }
  }

  /**
   * A step for modeling `concat`.
   * For example in `e = arr1.concat(arr2, arr3)`: if any of the `arr` is tainted, then so is `e`.
   */
-  private class ArrayConcatStep extends DataFlow::SharedFlowStep {
-    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  private class ArrayConcatStep extends PreCallGraphStep {
+    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      exists(DataFlow::MethodCallNode call |
        call.getMethodName() = "concat" and
        prop = arrayElement() and
@@ -305,8 +322,8 @@ private module ArrayDataFlow {
  /**
   * A step for modeling that elements from an array `arr` also appear in the result from calling `slice`/`splice`/`filter`.
   */
-  private class ArraySliceStep extends DataFlow::SharedFlowStep {
-    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  private class ArraySliceStep extends PreCallGraphStep {
+    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      exists(DataFlow::MethodCallNode call |
        call.getMethodName() = ["slice", "splice", "filter"] and
        prop = arrayElement() and
@@ -319,7 +336,7 @@ private module ArrayDataFlow {
  /**
   * A step modeling that elements from an array `arr` are received by calling `find`.
   */
-  private class ArrayFindStep extends DataFlow::SharedFlowStep {
+  private class ArrayFindStep extends PreCallGraphStep {
    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
      exists(DataFlow::CallNode call |
        call = arrayFindCall(pred) and
@@ -382,7 +399,7 @@ private module ArrayLibraries {
   * E.g. `array-union` that creates a union of multiple arrays, or `array-uniq` that creates an array with unique elements.
   */
  DataFlow::CallNode arrayCopyCall(DataFlow::Node array) {
-    result = API::moduleImport(["array-union", "array-uniq", "uniq"]).getACall() and
+    result = DataFlow::moduleImport(["array-union", "array-uniq", "uniq"]).getACall() and
    array = result.getAnArgument()
  }

@@ -401,8 +418,8 @@ private module ArrayLibraries {
  /**
   * A loadStoreStep for a library that copies the elements of an array into another array.
   */
-  private class ArrayCopyLoadStore extends DataFlow::SharedFlowStep {
-    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  private class ArrayCopyLoadStore extends PreCallGraphStep {
+    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      exists(DataFlow::CallNode call |
        call = arrayCopyCall(pred) and
        succ = call and
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.2
+
+No user-facing changes.
+
 ## 1.0.1

 No user-facing changes.
--- a/javascript/ql/src/change-notes/2023-11-27-cors-permissive-configuarion.md
+++ b/javascript/ql/src/change-notes/2023-11-27-cors-permissive-configuarion.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a new experimental query, `js/cors-misconfiguration`, which detects misconfigured CORS HTTP headers in the `cors` and `apollo` libraries. 
--- a/javascript/ql/src/change-notes/released/1.0.2.md
+++ b/javascript/ql/src/change-notes/released/1.0.2.md
@@ -0,0 +1,3 @@
+## 1.0.2
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.1
+lastReleaseVersion: 1.0.2
--- a/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.inc.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.inc.qhelp
@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly evaluating user input (for example, an HTTP request parameter) as code without properly
+sanitizing the input first allows an attacker arbitrary code execution. This can occur when user
+input is treated as JavaScript, or passed to a framework which interprets it as an expression to be
+evaluated. Examples include AngularJS expressions or JQuery selectors.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid including user input in any expression which may be dynamically evaluated. If user input must
+be included, use context-specific escaping before
+including it. It is important that the correct escaping is used for the type of evaluation that will
+occur.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows part of the page URL being evaluated as JavaScript code on the server. This allows an
+attacker to provide JavaScript within the URL and send it to server. client side attacks need victim users interaction 
+like clicking on a attacker provided URL.
+</p>
+
+<sample src="examples/CodeInjection.js" />
+
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Code_Injection">Code Injection</a>.
+</li>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection">Code Injection</a>.
+</li>
+<li>
+PortSwigger Research Blog:
+<a href="https://portswigger.net/research/server-side-template-injection">Server-Side Template Injection</a>.
+</li>
+</references>
+</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.qhelp
@@ -0,0 +1,6 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<include src="CodeInjection.inc.qhelp" />
+</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql
@@ -0,0 +1,89 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id js/code-injection-dynamic-import
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import DataFlow
+import DataFlow::PathGraph
+
+abstract class Sanitizer extends DataFlow::Node { }
+
+/** A non-first leaf in a string-concatenation. Seen as a sanitizer for dynamic import code injection. */
+class NonFirstStringConcatLeaf extends Sanitizer {
+  NonFirstStringConcatLeaf() {
+    exists(StringOps::ConcatenationRoot root |
+      this = root.getALeaf() and
+      not this = root.getFirstLeaf()
+    )
+    or
+    exists(DataFlow::CallNode join |
+      join = DataFlow::moduleMember("path", "join").getACall() and
+      this = join.getArgument([1 .. join.getNumArgument() - 1])
+    )
+  }
+}
+
+/**
+ * The dynamic import expression input can be a `data:` URL which loads any module from that data
+ */
+class DynamicImport extends DataFlow::ExprNode {
+  DynamicImport() { this = any(DynamicImportExpr e).getSource().flow() }
+}
+
+/**
+ * The dynamic import expression input can be a `data:` URL which loads any module from that data
+ */
+class WorkerThreads extends DataFlow::Node {
+  WorkerThreads() {
+    this = API::moduleImport("node:worker_threads").getMember("Worker").getParameter(0).asSink()
+  }
+}
+
+class UrlConstructorLabel extends FlowLabel {
+  UrlConstructorLabel() { this = "UrlConstructorLabel" }
+}
+
+/**
+ * A taint-tracking configuration for reasoning about code injection vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CodeInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DynamicImport }
+
+  override predicate isSink(DataFlow::Node sink, FlowLabel label) {
+    sink instanceof WorkerThreads and label instanceof UrlConstructorLabel
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::Node succ, FlowLabel predlbl, FlowLabel succlbl
+  ) {
+    exists(DataFlow::NewNode newUrl | succ = newUrl |
+      newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
+      pred = newUrl.getArgument(0)
+    ) and
+    predlbl instanceof StandardFlowLabel and
+    succlbl instanceof UrlConstructorLabel
+  }
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"
--- a/javascript/ql/src/experimental/Security/CWE-094-dataURL/examples/CodeInjection.js
+++ b/javascript/ql/src/experimental/Security/CWE-094-dataURL/examples/CodeInjection.js
@@ -0,0 +1,14 @@
+const { Worker } = require('node:worker_threads');
+var app = require('express')();
+
+app.post('/path', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    const payloadURL = new URL(payload)
+    new Worker(payloadURL);
+});
+
+app.post('/path2', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    await import(payload)
+});
+
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.qhelp
@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+			Controlling the value of arbitrary environment variables from user-controllable data is not safe.
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+			Restrict this operation only to privileged users or only for some not important environment variables.
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+			The following example allows unauthorized users to assign a value to any environment variable.
+		</p>
+
+		<sample src="examples/Bad_Value_And_Key_Assignment.js" />
+
+	</example>
+
+	<references>
+		<li> <a href="https://huntr.com/bounties/00ec6847-125b-43e9-9658-d3cace1751d6/">Admin account TakeOver in mintplex-labs/anything-llm</a></li>
+	</references>
+
+</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
@@ -0,0 +1,69 @@
+/**
+ * @name User controlled arbitrary environment variable injection
+ * @description creating arbitrary environment variables from user controlled data is not secure
+ * @kind path-problem
+ * @id js/env-key-and-value-injection
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+/** A taint tracking configuration for unsafe environment injection. */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "envInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = keyOfEnv() or
+    sink = valueOfEnv()
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::InvokeNode ikn |
+      ikn = DataFlow::globalVarRef("Object").getAMemberInvocation("keys")
+    |
+      pred = ikn.getArgument(0) and
+      (
+        succ = ikn.getAChainedMethodCall(["filter", "map"]) or
+        succ = ikn or
+        succ = ikn.getAChainedMethodCall("forEach").getABoundCallbackParameter(0, 0)
+      )
+    )
+  }
+}
+
+DataFlow::Node keyOfEnv() {
+  result =
+    NodeJSLib::process().getAPropertyRead("env").getAPropertyWrite().getPropertyNameExpr().flow()
+}
+
+DataFlow::Node valueOfEnv() {
+  result = API::moduleImport("process").getMember("env").getAMember().asSink()
+}
+
+private predicate readToProcessEnv(DataFlow::Node envKey, DataFlow::Node envValue) {
+  exists(DataFlow::PropWrite env |
+    env = NodeJSLib::process().getAPropertyRead("env").getAPropertyWrite()
+  |
+    envKey = env.getPropertyNameExpr().flow() and
+    envValue = env.getRhs()
+  )
+}
+
+from
+  Configuration cfgForValue, Configuration cfgForKey, DataFlow::PathNode source,
+  DataFlow::PathNode envKey, DataFlow::PathNode envValue
+where
+  cfgForValue.hasFlowPath(source, envKey) and
+  envKey.getNode() = keyOfEnv() and
+  cfgForKey.hasFlowPath(source, envValue) and
+  envValue.getNode() = valueOfEnv() and
+  readToProcessEnv(envKey.getNode(), envValue.getNode())
+select envKey.getNode(), source, envKey, "arbitrary environment variable assignment from this $@.",
+  source.getNode(), "user controllable source"
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.qhelp
@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+			Assigning Value to environment variables from user-controllable data is not safe.
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+			Restrict this operation only to privileged users or only for some not important environment variables.
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+			The following example allows unauthorized users to assign a value to a critical environment variable.
+		</p>
+
+		<sample src="examples/Bad_Value_Assignment.js" />
+
+	</example>
+
+	<references>
+		<li><a href="https://huntr.com/bounties/00ec6847-125b-43e9-9658-d3cace1751d6/">Admin account TakeOver in mintplex-labs/anything-llm</a></li>
+	</references>
+
+</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
@@ -0,0 +1,30 @@
+/**
+ * @name User controlled environment variable value injection
+ * @description assigning important environment variables from user controlled data is not secure
+ * @kind path-problem
+ * @id js/env-value-injection
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+/** A taint tracking configuration for unsafe environment injection. */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "envInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = API::moduleImport("process").getMember("env").getAMember().asSink()
+  }
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "this environment variable assignment is $@.",
+  source.getNode(), "user controllable"
--- a/javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_And_Key_Assignment.js
+++ b/javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_And_Key_Assignment.js
@@ -0,0 +1,8 @@
+const http = require('node:http');
+
+http.createServer((req, res) => {
+  const { EnvValue, EnvKey } = req.body;
+  process.env[EnvKey] = EnvValue; // NOT OK
+
+  res.end('env has been injected!');
+});
--- a/javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_Assignment.js
+++ b/javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_Assignment.js
@@ -0,0 +1,8 @@
+const http = require('node:http');
+
+http.createServer((req, res) => {
+  const { EnvValue } = req.body;
+  process.env["A_Critical_Env"] = EnvValue; // NOT OK
+
+  res.end('env has been injected!');
+});
--- a/javascript/ql/src/experimental/Security/CWE-347/Examples/Bad.js
+++ b/javascript/ql/src/experimental/Security/CWE-347/Examples/Bad.js
@@ -0,0 +1,39 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+app.get('/jose', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no signature verification
+    jose.decodeJwt(UserToken)
+})
+
+app.get('/jwtDecode', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no signature verification
+    jwt_decode(UserToken)
+})
+
+app.get('/jwtSimple', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // jwt.decode(token, key, noVerify, algorithm)
+    // BAD: no signature verification
+    jwt_simple.decode(UserToken, getSecret(), true);
+})
+
+app.get('/jwtJsonwebtoken', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken)
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/src/experimental/Security/CWE-347/Examples/Good.js
+++ b/javascript/ql/src/experimental/Security/CWE-347/Examples/Good.js
@@ -0,0 +1,56 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+app.get('/jose1', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: with signature verification
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
+})
+
+app.get('/jose2', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jose.decodeJwt(UserToken)
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
+})
+
+app.get('/jwtSimple1', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwt_simple.decode(UserToken, getSecret(), false);
+    jwt_simple.decode(UserToken, getSecret());
+})
+
+app.get('/jwtSimple2', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: with signature verification
+    jwt_simple.decode(UserToken, getSecret(), true);
+    jwt_simple.decode(UserToken, getSecret());
+})
+
+app.get('/jwtJsonwebtoken1', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+})
+
+app.get('/jwtJsonwebtoken2', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+})
+
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/src/experimental/Security/CWE-347/JWT.qll
+++ b/javascript/ql/src/experimental/Security/CWE-347/JWT.qll
@@ -0,0 +1,54 @@
+import javascript
+
+DataFlow::Node unverifiedDecode() {
+  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
+  or
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    verify
+        .getParameter(2)
+        .getMember("algorithms")
+        .getUnknownMember()
+        .asSink()
+        .mayHaveStringValue("none") and
+    result = verify.getParameter(0).asSink()
+  )
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
+    result = n.getParameter(0).asSink()
+  )
+  or
+  // jwt-decode
+  result = API::moduleImport("jwt-decode").getParameter(0).asSink()
+  or
+  //jose
+  result = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
+}
+
+DataFlow::Node verifiedDecode() {
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    (
+      not verify
+          .getParameter(2)
+          .getMember("algorithms")
+          .getUnknownMember()
+          .asSink()
+          .mayHaveStringValue("none") or
+      not exists(verify.getParameter(2).getMember("algorithms"))
+    ) and
+    result = verify.getParameter(0).asSink()
+  )
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    (
+      n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = false) or
+      not exists(n.getParameter(2))
+    ) and
+    result = n.getParameter(0).asSink()
+    or
+    //jose
+    result = API::moduleImport("jose").getMember("jwtVerify").getParameter(0).asSink()
+  )
+}
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.qhelp
@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+     <overview>
+          <p>
+               A JSON Web Token (JWT) is used for authenticating and managing users in an application.
+          </p>
+          <p>
+               Only Decoding JWTs without checking if they have a valid signature or not can lead to security vulnerabilities.
+          </p>
+
+     </overview>
+     <recommendation>
+
+          <p>
+               Don't use methods that only decode JWT, Instead use methods that verify the signature of JWT.
+          </p>
+
+     </recommendation>
+     <example>
+
+          <p>
+               In the following code, you can see the proper usage of the most popular JWT libraries.
+          </p>
+          <sample src="Examples/Good.js" />
+
+          <p>
+               In the following code, you can see the improper usage of the most popular JWT libraries.
+          </p>
+          <sample src="Examples/Bad.js" />
+     </example>
+     <references>
+          <li>
+               <a href="https://www.ghostccamm.com/blog/multi_strapi_vulns/#cve-2023-22893-authentication-bypass-for-aws-cognito-login-provider-in-strapi-versions-456">JWT claim has not been verified</a>
+          </li>
+     </references>
+
+</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -0,0 +1,40 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id js/decode-jwt-without-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow::PathGraph
+import JWT
+
+class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
+  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
+}
+
+class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
+  ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+}
+
+from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink) and
+  not exists(ConfigurationVerifiedDecode cfg2 |
+    cfg2.hasFlowPath(any(DataFlow::PathNode p | p.getNode() = source.getNode()), _)
+  )
+select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
+  "without signature verification"
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
@@ -0,0 +1,55 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id js/decode-jwt-without-verification-local-source
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow::PathGraph
+import JWT
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "jsonwebtoken without any signature verification" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = [unverifiedDecode(), verifiedDecode()].getALocalSource()
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = unverifiedDecode()
+    or
+    sink = verifiedDecode()
+  }
+}
+
+/** Holds if `source` flows to the first parameter of jsonwebtoken.verify */
+predicate isSafe(Configuration cfg, DataFlow::Node source) {
+  exists(DataFlow::Node sink |
+    cfg.hasFlow(source, sink) and
+    sink = verifiedDecode()
+  )
+}
+
+/**
+ * Holds if:
+ * - `source` does not flow to the first parameter of `jsonwebtoken.verify`, and
+ * - `source` flows to the first parameter of `jsonwebtoken.decode`
+ */
+predicate isVulnerable(Configuration cfg, DataFlow::Node source, DataFlow::Node sink) {
+  not isSafe(cfg, source) and // i.e., source does not flow to a verify call
+  cfg.hasFlow(source, sink) and // but it does flow to something else
+  sink = unverifiedDecode() // and that something else is a call to decode.
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink) and
+  isVulnerable(cfg, source.getNode(), sink.getNode())
+select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
+  "without signature verification"
--- a/javascript/ql/src/experimental/Security/CWE-942/Apollo.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/Apollo.qll
@@ -0,0 +1,36 @@
+/**
+ * Provides classes for working with Apollo GraphQL connectors.
+ */
+
+import javascript
+
+/** Provides classes modeling the apollo packages [@apollo/server](https://npmjs.com/package/@apollo/server`) */
+module Apollo {
+  /** Get a reference to the `ApolloServer` class. */
+  private API::Node apollo() {
+    result =
+      API::moduleImport([
+          "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core",
+          "apollo-server", "apollo-server-express"
+        ]).getMember("ApolloServer")
+  }
+
+  /** Gets a reference to the `gql` function that parses GraphQL strings. */
+  private API::Node gql() {
+    result =
+      API::moduleImport([
+          "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core",
+          "apollo-server", "apollo-server-express"
+        ]).getMember("gql")
+  }
+
+  /** An instantiation of an `ApolloServer`. */
+  class ApolloServer extends API::NewNode {
+    ApolloServer() { this = apollo().getAnInstantiation() }
+  }
+
+  /** A string that is interpreted as a GraphQL query by a `apollo` package. */
+  private class ApolloGraphQLString extends GraphQL::GraphQLString {
+    ApolloGraphQLString() { this = gql().getACall().getArgument(0) }
+  }
+}
--- a/javascript/ql/src/experimental/Security/CWE-942/Cors.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/Cors.qll
@@ -0,0 +1,24 @@
+/**
+ * Provides classes for working with Cors connectors.
+ */
+
+import javascript
+
+/** Provides classes modeling the [cors](https://npmjs.com/package/cors) library. */
+module Cors {
+  /**
+   * An expression that creates a new CORS configuration.
+   */
+  class Cors extends DataFlow::CallNode {
+    Cors() { this = DataFlow::moduleImport("cors").getAnInvocation() }
+
+    /** Get the options used to configure Cors */
+    DataFlow::Node getOptionsArgument() { result = this.getArgument(0) }
+
+    /** Holds if cors is using default configuration */
+    predicate isDefault() { this.getNumArgument() = 0 }
+
+    /** Gets the value of the `origin` option used to configure this Cors instance. */
+    DataFlow::Node getOrigin() { result = this.getOptionArgument(0, "origin") }
+  }
+}
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.qhelp
@@ -0,0 +1,71 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+	<p>
+
+		A server can use <code>CORS</code> (Cross-Origin Resource Sharing) to relax the 
+        restrictions imposed by the <code>SOP</code> (Same-Origin Policy), allowing controlled, secure
+        cross-origin requests when necessary. 
+
+        A server with an overly permissive <code>CORS</code> configuration may inadvertently 
+        expose sensitive data or lead to <code>CSRF</code> which is an attack that allows attackers to trick
+        users into performing unwanted operations in websites they're authenticated to.
+
+	</p>
+
+</overview>
+
+<recommendation>
+	<p>
+
+		When the <code>origin</code> is set to <code>true</code>, it signifies that the server 
+        is accepting requests from <code>any</code> origin, potentially exposing the system to 
+        CSRF attacks. This can be fixed using <code>false</code> as origin value or using a whitelist.
+
+	</p>
+	<p>
+
+		On the other hand, if the <code>origin</code> is 
+        set to <code>null</code>, it can be exploited by an attacker to deceive a user into making 
+        requests from a <code>null</code> origin form, often hosted within a sandboxed iframe.
+
+	</p>
+
+    <p>
+
+		If the <code>origin</code> value is user controlled, make sure that the data
+        is properly sanitized.
+
+	</p>
+</recommendation>
+
+<example>
+	<p>
+
+		In the example below, the <code>server_1</code> accepts requests from any origin
+        since the value of <code>origin</code> is set to <code>true</code>. 
+		And <code>server_2</code>'s origin is user-controlled.
+
+	</p>
+
+	<sample src="examples/CorsPermissiveConfigurationBad.js"/>
+
+	<p>
+
+		In the example below, the <code>server_1</code> CORS is restrictive so it's not
+		vulnerable to CSRF attacks. And <code>server_2</code>'s is using properly sanitized
+		user-controlled data.
+
+	</p>
+
+	<sample src="examples/CorsPermissiveConfigurationGood.js"/>
+</example>
+
+<references>
+	<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">CORS, Access-Control-Allow-Origin</a>.</li>
+	<li>W3C: <a href="https://w3c.github.io/webappsec-cors-for-developers/#resources">CORS for developers, Advice for Resource Owners</a></li>
+</references>
+</qhelp>
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
@@ -0,0 +1,20 @@
+/**
+ * @name overly CORS configuration
+ * @description Misconfiguration of CORS HTTP headers allows CSRF attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id js/cors-misconfiguration
+ * @tags security
+ *       external/cwe/cwe-942
+ */
+
+import javascript
+import CorsPermissiveConfigurationQuery
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "CORS Origin misconfiguration due to a $@.", source.getNode(),
+  "too permissive or user controlled value"
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
@@ -0,0 +1,95 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * overly permissive CORS configurations, as well as
+ * extension points for adding your own.
+ */
+
+import javascript
+import Cors::Cors
+import Apollo::Apollo
+
+/** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
+module CorsPermissiveConfiguration {
+  /**
+   * A data flow source for permissive CORS configuration.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for permissive CORS configuration.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for permissive CORS configuration.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for CORS misconfiguration. */
+  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
+    RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
+  }
+
+  /** A flow label representing `true` and `null` values. */
+  abstract class TrueAndNull extends DataFlow::FlowLabel {
+    TrueAndNull() { this = "TrueAndNull" }
+  }
+
+  TrueAndNull truenullLabel() { any() }
+
+  /** A flow label representing `*` value. */
+  abstract class Wildcard extends DataFlow::FlowLabel {
+    Wildcard() { this = "Wildcard" }
+  }
+
+  Wildcard wildcardLabel() { any() }
+
+  /** An overly permissive value for `origin` (Apollo) */
+  class TrueNullValue extends Source {
+    TrueNullValue() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
+  }
+
+  /** An overly permissive value for `origin` (Express) */
+  class WildcardValue extends Source {
+    WildcardValue() { this.mayHaveStringValue("*") }
+  }
+
+  /**
+   * The value of cors origin when initializing the application.
+   */
+  class CorsApolloServer extends Sink, DataFlow::ValueNode {
+    CorsApolloServer() {
+      exists(ApolloServer agql |
+        this =
+          agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
+      )
+    }
+  }
+
+  /**
+   * The value of cors origin when initializing the application.
+   */
+  class ExpressCors extends Sink, DataFlow::ValueNode {
+    ExpressCors() {
+      exists(CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
+    }
+  }
+
+  /**
+   * An express route setup configured with the `cors` package.
+   */
+  class CorsConfiguration extends DataFlow::MethodCallNode {
+    Cors corsConfig;
+
+    CorsConfiguration() {
+      exists(Express::RouteSetup setup | this = setup |
+        if setup.isUseCall()
+        then corsConfig = setup.getArgument(0)
+        else corsConfig = setup.getArgument(any(int i | i > 0))
+      )
+    }
+
+    /** Gets the expression that configures `cors` on this route setup. */
+    Cors getCorsConfiguration() { result = corsConfig }
+  }
+}
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll
@@ -0,0 +1,46 @@
+/**
+ * Provides a dataflow taint tracking configuration for reasoning
+ * about overly permissive CORS configurations.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CorsPermissiveConfiguration::Configuration` is needed,
+ * otherwise `CorsPermissiveConfigurationCustomizations` should
+ * be imported instead.
+ */
+
+import javascript
+import CorsPermissiveConfigurationCustomizations::CorsPermissiveConfiguration
+
+/**
+ * A data flow configuration for overly permissive CORS configuration.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CorsPermissiveConfiguration" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source instanceof TrueNullValue and label = truenullLabel()
+    or
+    source instanceof WildcardValue and label = wildcardLabel()
+    or
+    source instanceof RemoteFlowSource and label = DataFlow::FlowLabel::taint()
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink instanceof CorsApolloServer and label = [DataFlow::FlowLabel::taint(), truenullLabel()]
+    or
+    sink instanceof ExpressCors and label = [DataFlow::FlowLabel::taint(), wildcardLabel()]
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof Sanitizer
+  }
+}
+
+private class WildcardActivated extends DataFlow::FlowLabel, Wildcard {
+  WildcardActivated() { this = this }
+}
+
+private class TrueAndNullActivated extends DataFlow::FlowLabel, TrueAndNull {
+  TrueAndNullActivated() { this = this }
+}
--- a/javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationBad.js
+++ b/javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationBad.js
@@ -0,0 +1,18 @@
+import { ApolloServer } from 'apollo-server';
+var https = require('https'),
+    url = require('url');
+
+var server = https.createServer(function () { });
+
+server.on('request', function (req, res) {
+    // BAD: origin is too permissive
+    const server_1 = new ApolloServer({
+        cors: { origin: true }
+    });
+
+    let user_origin = url.parse(req.url, true).query.origin;
+    // BAD: CORS is controlled by user
+    const server_2 = new ApolloServer({
+        cors: { origin: user_origin }
+    });
+});
--- a/javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationGood.js
+++ b/javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationGood.js
@@ -0,0 +1,18 @@
+import { ApolloServer } from 'apollo-server';
+var https = require('https'),
+    url = require('url');
+
+var server = https.createServer(function () { });
+
+server.on('request', function (req, res) {
+    // GOOD: origin is restrictive
+    const server_1 = new ApolloServer({
+        cors: { origin: false }
+    });
+
+    let user_origin = url.parse(req.url, true).query.origin;
+    // GOOD: user data is properly sanitized
+    const server_2 = new ApolloServer({
+        cors: { origin: (user_origin === "https://allowed1.com" || user_origin === "https://allowed2.com") ? user_origin : false }
+    });
+});
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.0.2-dev
+version: 1.0.3-dev
 groups:
  - javascript
  - queries
--- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected
+++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected
@@ -0,0 +1,51 @@
+nodes
+| test.js:5:11:5:44 | payload |
+| test.js:5:21:5:44 | req.que ... rameter |
+| test.js:5:21:5:44 | req.que ... rameter |
+| test.js:6:9:6:43 | payloadURL |
+| test.js:6:22:6:43 | new URL ...  + sth) |
+| test.js:6:30:6:36 | payload |
+| test.js:6:30:6:42 | payload + sth |
+| test.js:7:16:7:25 | payloadURL |
+| test.js:7:16:7:25 | payloadURL |
+| test.js:9:5:9:39 | payloadURL |
+| test.js:9:18:9:39 | new URL ...  + sth) |
+| test.js:9:26:9:32 | payload |
+| test.js:9:26:9:38 | payload + sth |
+| test.js:10:16:10:25 | payloadURL |
+| test.js:10:16:10:25 | payloadURL |
+| test.js:17:11:17:44 | payload |
+| test.js:17:21:17:44 | req.que ... rameter |
+| test.js:17:21:17:44 | req.que ... rameter |
+| test.js:18:18:18:24 | payload |
+| test.js:18:18:18:24 | payload |
+| test.js:19:18:19:24 | payload |
+| test.js:19:18:19:30 | payload + sth |
+| test.js:19:18:19:30 | payload + sth |
+edges
+| test.js:5:11:5:44 | payload | test.js:6:30:6:36 | payload |
+| test.js:5:11:5:44 | payload | test.js:9:26:9:32 | payload |
+| test.js:5:21:5:44 | req.que ... rameter | test.js:5:11:5:44 | payload |
+| test.js:5:21:5:44 | req.que ... rameter | test.js:5:11:5:44 | payload |
+| test.js:6:9:6:43 | payloadURL | test.js:7:16:7:25 | payloadURL |
+| test.js:6:9:6:43 | payloadURL | test.js:7:16:7:25 | payloadURL |
+| test.js:6:22:6:43 | new URL ...  + sth) | test.js:6:9:6:43 | payloadURL |
+| test.js:6:30:6:36 | payload | test.js:6:30:6:42 | payload + sth |
+| test.js:6:30:6:42 | payload + sth | test.js:6:22:6:43 | new URL ...  + sth) |
+| test.js:9:5:9:39 | payloadURL | test.js:10:16:10:25 | payloadURL |
+| test.js:9:5:9:39 | payloadURL | test.js:10:16:10:25 | payloadURL |
+| test.js:9:18:9:39 | new URL ...  + sth) | test.js:9:5:9:39 | payloadURL |
+| test.js:9:26:9:32 | payload | test.js:9:26:9:38 | payload + sth |
+| test.js:9:26:9:38 | payload + sth | test.js:9:18:9:39 | new URL ...  + sth) |
+| test.js:17:11:17:44 | payload | test.js:18:18:18:24 | payload |
+| test.js:17:11:17:44 | payload | test.js:18:18:18:24 | payload |
+| test.js:17:11:17:44 | payload | test.js:19:18:19:24 | payload |
+| test.js:17:21:17:44 | req.que ... rameter | test.js:17:11:17:44 | payload |
+| test.js:17:21:17:44 | req.que ... rameter | test.js:17:11:17:44 | payload |
+| test.js:19:18:19:24 | payload | test.js:19:18:19:30 | payload + sth |
+| test.js:19:18:19:24 | payload | test.js:19:18:19:30 | payload + sth |
+#select
+| test.js:7:16:7:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:7:16:7:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value |
+| test.js:10:16:10:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:10:16:10:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value |
+| test.js:18:18:18:24 | payload | test.js:17:21:17:44 | req.que ... rameter | test.js:18:18:18:24 | payload | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value |
+| test.js:19:18:19:30 | payload + sth | test.js:17:21:17:44 | req.que ... rameter | test.js:19:18:19:30 | payload + sth | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value |
--- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-094-dataURL/CodeInjection.ql
--- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js
+++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js
@@ -0,0 +1,22 @@
+const { Worker } = require('node:worker_threads');
+var app = require('express')();
+
+app.post('/path', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    let payloadURL = new URL(payload + sth) // NOT OK
+    new Worker(payloadURL);
+
+    payloadURL = new URL(payload + sth) // NOT OK
+    new Worker(payloadURL);
+
+    payloadURL = new URL(sth + payload) // OK
+    new Worker(payloadURL);
+});
+
+app.post('/path2', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    await import(payload) // NOT OK
+    await import(payload + sth) // NOT OK
+    await import(sth + payload) // OK
+});
+
--- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected
+++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected
@@ -0,0 +1,55 @@
+nodes
+| test.js:5:9:5:28 | { EnvValue, EnvKey } |
+| test.js:5:9:5:39 | EnvKey |
+| test.js:5:9:5:39 | EnvValue |
+| test.js:5:11:5:18 | EnvValue |
+| test.js:5:21:5:26 | EnvKey |
+| test.js:5:32:5:39 | req.body |
+| test.js:5:32:5:39 | req.body |
+| test.js:6:15:6:20 | EnvKey |
+| test.js:6:15:6:20 | EnvKey |
+| test.js:6:25:6:32 | EnvValue |
+| test.js:6:25:6:32 | EnvValue |
+| test.js:7:15:7:20 | EnvKey |
+| test.js:7:15:7:20 | EnvKey |
+| test.js:7:25:7:32 | EnvValue |
+| test.js:7:25:7:32 | EnvValue |
+| test.js:13:9:13:28 | { EnvValue, EnvKey } |
+| test.js:13:9:13:39 | EnvKey |
+| test.js:13:9:13:39 | EnvValue |
+| test.js:13:11:13:18 | EnvValue |
+| test.js:13:21:13:26 | EnvKey |
+| test.js:13:32:13:39 | req.body |
+| test.js:13:32:13:39 | req.body |
+| test.js:15:15:15:20 | EnvKey |
+| test.js:15:15:15:20 | EnvKey |
+| test.js:16:26:16:33 | EnvValue |
+| test.js:16:26:16:33 | EnvValue |
+edges
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:11:5:18 | EnvValue |
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:21:5:26 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
+| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
+| test.js:5:11:5:18 | EnvValue | test.js:5:9:5:39 | EnvValue |
+| test.js:5:21:5:26 | EnvKey | test.js:5:9:5:39 | EnvKey |
+| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
+| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
+| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:11:13:18 | EnvValue |
+| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:21:13:26 | EnvKey |
+| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey |
+| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey |
+| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue |
+| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue |
+| test.js:13:11:13:18 | EnvValue | test.js:13:9:13:39 | EnvValue |
+| test.js:13:21:13:26 | EnvKey | test.js:13:9:13:39 | EnvKey |
+| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } |
+| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } |
+#select
+| test.js:6:15:6:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:6:15:6:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
+| test.js:7:15:7:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:7:15:7:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
--- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
--- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js
+++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js
@@ -0,0 +1,19 @@
+const http = require('node:http');
+
+
+http.createServer((req, res) => {
+  const { EnvValue, EnvKey } = req.body;
+  process.env[EnvKey] = EnvValue; // NOT OK
+  process.env[EnvKey] = EnvValue; // NOT OK
+
+  res.end('env has been injected!');
+});
+
+http.createServer((req, res) => {
+  const { EnvValue, EnvKey } = req.body;
+
+  process.env[EnvKey] = "constant" // OK
+  process.env.constant = EnvValue // OK
+
+  res.end('env has been injected!');
+});
--- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected
+++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected
@@ -0,0 +1,27 @@
+nodes
+| test.js:4:9:4:20 | { EnvValue } |
+| test.js:4:9:4:31 | EnvValue |
+| test.js:4:11:4:18 | EnvValue |
+| test.js:4:24:4:31 | req.body |
+| test.js:4:24:4:31 | req.body |
+| test.js:5:35:5:42 | EnvValue |
+| test.js:5:35:5:42 | EnvValue |
+| test.js:6:23:6:30 | EnvValue |
+| test.js:6:23:6:30 | EnvValue |
+| test.js:7:22:7:29 | EnvValue |
+| test.js:7:22:7:29 | EnvValue |
+edges
+| test.js:4:9:4:20 | { EnvValue } | test.js:4:11:4:18 | EnvValue |
+| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue |
+| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue |
+| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue |
+| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue |
+| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue |
+| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue |
+| test.js:4:11:4:18 | EnvValue | test.js:4:9:4:31 | EnvValue |
+| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } |
+| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } |
+#select
+| test.js:5:35:5:42 | EnvValue | test.js:4:24:4:31 | req.body | test.js:5:35:5:42 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable |
+| test.js:6:23:6:30 | EnvValue | test.js:4:24:4:31 | req.body | test.js:6:23:6:30 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable |
+| test.js:7:22:7:29 | EnvValue | test.js:4:24:4:31 | req.body | test.js:7:22:7:29 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable |
--- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-099/EnvValueInjection.ql
--- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/test.js
+++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/test.js
@@ -0,0 +1,10 @@
+const http = require('node:http');
+
+http.createServer((req, res) => {
+  const { EnvValue } = req.body;
+  process.env["A_Critical_Env"] = EnvValue; // NOT OK
+  process.env[AKey] = EnvValue; // NOT OK
+  process.env.AKey = EnvValue; // NOT OK
+
+  res.end('env has been injected!');
+});
--- a/javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js
@@ -0,0 +1,48 @@
+const express = require('express')
+const jwtJsonwebtoken = require('jsonwebtoken');
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret())  // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken)  // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret())  // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken) // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
+})();
--- a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected
+++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected
@@ -0,0 +1,141 @@
+nodes
+| JsonWebToken.js:13:11:13:28 | UserToken |
+| JsonWebToken.js:13:23:13:28 | aJwt() |
+| JsonWebToken.js:13:23:13:28 | aJwt() |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:20:11:20:28 | UserToken |
+| JsonWebToken.js:20:23:20:28 | aJwt() |
+| JsonWebToken.js:20:23:20:28 | aJwt() |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:28:11:28:28 | UserToken |
+| JsonWebToken.js:28:23:28:28 | aJwt() |
+| JsonWebToken.js:28:23:28:28 | aJwt() |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:35:11:35:28 | UserToken |
+| JsonWebToken.js:35:23:35:28 | aJwt() |
+| JsonWebToken.js:35:23:35:28 | aJwt() |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:43:11:43:28 | UserToken |
+| JsonWebToken.js:43:23:43:28 | aJwt() |
+| JsonWebToken.js:43:23:43:28 | aJwt() |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+| jose.js:12:11:12:28 | UserToken |
+| jose.js:12:23:12:28 | aJwt() |
+| jose.js:12:23:12:28 | aJwt() |
+| jose.js:15:20:15:28 | UserToken |
+| jose.js:15:20:15:28 | UserToken |
+| jose.js:19:11:19:28 | UserToken |
+| jose.js:19:23:19:28 | aJwt() |
+| jose.js:19:23:19:28 | aJwt() |
+| jose.js:22:20:22:28 | UserToken |
+| jose.js:22:20:22:28 | UserToken |
+| jose.js:23:26:23:34 | UserToken |
+| jose.js:23:26:23:34 | UserToken |
+| jose.js:27:11:27:28 | UserToken |
+| jose.js:27:23:27:28 | aJwt() |
+| jose.js:27:23:27:28 | aJwt() |
+| jose.js:30:26:30:34 | UserToken |
+| jose.js:30:26:30:34 | UserToken |
+| jwtDecode.js:13:11:13:28 | UserToken |
+| jwtDecode.js:13:23:13:28 | aJwt() |
+| jwtDecode.js:13:23:13:28 | aJwt() |
+| jwtDecode.js:17:16:17:24 | UserToken |
+| jwtDecode.js:17:16:17:24 | UserToken |
+| jwtSimple.js:13:11:13:28 | UserToken |
+| jwtSimple.js:13:23:13:28 | aJwt() |
+| jwtSimple.js:13:23:13:28 | aJwt() |
+| jwtSimple.js:16:23:16:31 | UserToken |
+| jwtSimple.js:16:23:16:31 | UserToken |
+| jwtSimple.js:20:11:20:28 | UserToken |
+| jwtSimple.js:20:23:20:28 | aJwt() |
+| jwtSimple.js:20:23:20:28 | aJwt() |
+| jwtSimple.js:23:23:23:31 | UserToken |
+| jwtSimple.js:23:23:23:31 | UserToken |
+| jwtSimple.js:24:23:24:31 | UserToken |
+| jwtSimple.js:24:23:24:31 | UserToken |
+| jwtSimple.js:28:11:28:28 | UserToken |
+| jwtSimple.js:28:23:28:28 | aJwt() |
+| jwtSimple.js:28:23:28:28 | aJwt() |
+| jwtSimple.js:31:23:31:31 | UserToken |
+| jwtSimple.js:31:23:31:31 | UserToken |
+| jwtSimple.js:32:23:32:31 | UserToken |
+| jwtSimple.js:32:23:32:31 | UserToken |
+edges
+| JsonWebToken.js:13:11:13:28 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:11:13:28 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:11:13:28 | UserToken |
+| JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:11:13:28 | UserToken |
+| JsonWebToken.js:20:11:20:28 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:28 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:28 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:11:20:28 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:11:20:28 | UserToken |
+| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:11:20:28 | UserToken |
+| JsonWebToken.js:28:11:28:28 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:11:28:28 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:23:28:28 | aJwt() | JsonWebToken.js:28:11:28:28 | UserToken |
+| JsonWebToken.js:28:23:28:28 | aJwt() | JsonWebToken.js:28:11:28:28 | UserToken |
+| JsonWebToken.js:35:11:35:28 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:28 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:28 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:11:35:28 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:23:35:28 | aJwt() | JsonWebToken.js:35:11:35:28 | UserToken |
+| JsonWebToken.js:35:23:35:28 | aJwt() | JsonWebToken.js:35:11:35:28 | UserToken |
+| JsonWebToken.js:43:11:43:28 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:28 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:28 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:11:43:28 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:23:43:28 | aJwt() | JsonWebToken.js:43:11:43:28 | UserToken |
+| JsonWebToken.js:43:23:43:28 | aJwt() | JsonWebToken.js:43:11:43:28 | UserToken |
+| jose.js:12:11:12:28 | UserToken | jose.js:15:20:15:28 | UserToken |
+| jose.js:12:11:12:28 | UserToken | jose.js:15:20:15:28 | UserToken |
+| jose.js:12:23:12:28 | aJwt() | jose.js:12:11:12:28 | UserToken |
+| jose.js:12:23:12:28 | aJwt() | jose.js:12:11:12:28 | UserToken |
+| jose.js:19:11:19:28 | UserToken | jose.js:22:20:22:28 | UserToken |
+| jose.js:19:11:19:28 | UserToken | jose.js:22:20:22:28 | UserToken |
+| jose.js:19:11:19:28 | UserToken | jose.js:23:26:23:34 | UserToken |
+| jose.js:19:11:19:28 | UserToken | jose.js:23:26:23:34 | UserToken |
+| jose.js:19:23:19:28 | aJwt() | jose.js:19:11:19:28 | UserToken |
+| jose.js:19:23:19:28 | aJwt() | jose.js:19:11:19:28 | UserToken |
+| jose.js:27:11:27:28 | UserToken | jose.js:30:26:30:34 | UserToken |
+| jose.js:27:11:27:28 | UserToken | jose.js:30:26:30:34 | UserToken |
+| jose.js:27:23:27:28 | aJwt() | jose.js:27:11:27:28 | UserToken |
+| jose.js:27:23:27:28 | aJwt() | jose.js:27:11:27:28 | UserToken |
+| jwtDecode.js:13:11:13:28 | UserToken | jwtDecode.js:17:16:17:24 | UserToken |
+| jwtDecode.js:13:11:13:28 | UserToken | jwtDecode.js:17:16:17:24 | UserToken |
+| jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:13:11:13:28 | UserToken |
+| jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:13:11:13:28 | UserToken |
+| jwtSimple.js:13:11:13:28 | UserToken | jwtSimple.js:16:23:16:31 | UserToken |
+| jwtSimple.js:13:11:13:28 | UserToken | jwtSimple.js:16:23:16:31 | UserToken |
+| jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:13:11:13:28 | UserToken |
+| jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:13:11:13:28 | UserToken |
+| jwtSimple.js:20:11:20:28 | UserToken | jwtSimple.js:23:23:23:31 | UserToken |
+| jwtSimple.js:20:11:20:28 | UserToken | jwtSimple.js:23:23:23:31 | UserToken |
+| jwtSimple.js:20:11:20:28 | UserToken | jwtSimple.js:24:23:24:31 | UserToken |
+| jwtSimple.js:20:11:20:28 | UserToken | jwtSimple.js:24:23:24:31 | UserToken |
+| jwtSimple.js:20:23:20:28 | aJwt() | jwtSimple.js:20:11:20:28 | UserToken |
+| jwtSimple.js:20:23:20:28 | aJwt() | jwtSimple.js:20:11:20:28 | UserToken |
+| jwtSimple.js:28:11:28:28 | UserToken | jwtSimple.js:31:23:31:31 | UserToken |
+| jwtSimple.js:28:11:28:28 | UserToken | jwtSimple.js:31:23:31:31 | UserToken |
+| jwtSimple.js:28:11:28:28 | UserToken | jwtSimple.js:32:23:32:31 | UserToken |
+| jwtSimple.js:28:11:28:28 | UserToken | jwtSimple.js:32:23:32:31 | UserToken |
+| jwtSimple.js:28:23:28:28 | aJwt() | jwtSimple.js:28:11:28:28 | UserToken |
+| jwtSimple.js:28:23:28:28 | aJwt() | jwtSimple.js:28:11:28:28 | UserToken |
+#select
+| JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification |
+| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification |
+| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification |
+| jose.js:12:23:12:28 | aJwt() | jose.js:12:23:12:28 | aJwt() | jose.js:15:20:15:28 | UserToken | Decoding JWT $@. | jose.js:15:20:15:28 | UserToken | without signature verification |
+| jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:17:16:17:24 | UserToken | Decoding JWT $@. | jwtDecode.js:17:16:17:24 | UserToken | without signature verification |
+| jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:16:23:16:31 | UserToken | Decoding JWT $@. | jwtSimple.js:16:23:16:31 | UserToken | without signature verification |
--- a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
--- a/javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js
@@ -0,0 +1,31 @@
+const jose = require('jose')
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // no signature verification
+    jose.decodeJwt(UserToken) // NOT OK
+})();
+
+(async function () {
+    const UserToken = aJwt()
+
+    // first without signature verification then with signature verification for same UserToken
+    jose.decodeJwt(UserToken)  // OK
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))  // OK
+})();
+
+(async function () {
+    const UserToken = aJwt()
+
+    // with signature verification
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))  // OK
+})();
--- a/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js
@@ -0,0 +1,18 @@
+const express = require('express')
+const jwt_decode = require('jwt-decode');
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // jwt-decode
+    // no signature verification
+    jwt_decode(UserToken) // NOT OK
+})();
--- a/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js
@@ -0,0 +1,33 @@
+const express = require('express')
+const jwt_simple = require('jwt-simple');
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwt_simple.decode(UserToken, getSecret(), true); // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: all with with signature verification
+    jwt_simple.decode(UserToken, getSecret(), false); // OK
+    jwt_simple.decode(UserToken, getSecret()); // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwt_simple.decode(UserToken, getSecret(), true); // OK
+    jwt_simple.decode(UserToken, getSecret()); // OK
+})();
--- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js
@@ -0,0 +1,49 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+app.get('/jwtJsonwebtoken1', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+})
+
+app.get('/jwtJsonwebtoken2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
+})
+
+app.get('/jwtJsonwebtoken3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
+})
+
+app.get('/jwtJsonwebtoken4', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken) // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
+})
+
+app.get('/jwtJsonwebtoken5', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken) // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected
+++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected
@@ -0,0 +1,161 @@
+nodes
+| JsonWebToken.js:10:11:10:47 | UserToken |
+| JsonWebToken.js:10:23:10:47 | req.hea ... ization |
+| JsonWebToken.js:10:23:10:47 | req.hea ... ization |
+| JsonWebToken.js:13:28:13:36 | UserToken |
+| JsonWebToken.js:13:28:13:36 | UserToken |
+| JsonWebToken.js:17:11:17:47 | UserToken |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization |
+| JsonWebToken.js:20:28:20:36 | UserToken |
+| JsonWebToken.js:20:28:20:36 | UserToken |
+| JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:25:11:25:47 | UserToken |
+| JsonWebToken.js:25:23:25:47 | req.hea ... ization |
+| JsonWebToken.js:25:23:25:47 | req.hea ... ization |
+| JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:32:11:32:47 | UserToken |
+| JsonWebToken.js:32:11:32:47 | UserToken |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
+| JsonWebToken.js:35:28:35:36 | UserToken |
+| JsonWebToken.js:35:28:35:36 | UserToken |
+| JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:40:11:40:47 | UserToken |
+| JsonWebToken.js:40:11:40:47 | UserToken |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
+| JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:44:28:44:36 | UserToken |
+| JsonWebToken.js:44:28:44:36 | UserToken |
+| jose.js:11:11:11:47 | UserToken |
+| jose.js:11:23:11:47 | req.hea ... ization |
+| jose.js:11:23:11:47 | req.hea ... ization |
+| jose.js:13:20:13:28 | UserToken |
+| jose.js:13:20:13:28 | UserToken |
+| jose.js:18:11:18:47 | UserToken |
+| jose.js:18:23:18:47 | req.hea ... ization |
+| jose.js:18:23:18:47 | req.hea ... ization |
+| jose.js:20:26:20:34 | UserToken |
+| jose.js:20:26:20:34 | UserToken |
+| jose.js:24:11:24:47 | UserToken |
+| jose.js:24:11:24:47 | UserToken |
+| jose.js:24:23:24:47 | req.hea ... ization |
+| jose.js:24:23:24:47 | req.hea ... ization |
+| jose.js:24:23:24:47 | req.hea ... ization |
+| jose.js:24:23:24:47 | req.hea ... ization |
+| jose.js:26:20:26:28 | UserToken |
+| jose.js:26:20:26:28 | UserToken |
+| jose.js:27:26:27:34 | UserToken |
+| jose.js:27:26:27:34 | UserToken |
+| jwtDecode.js:11:11:11:47 | UserToken |
+| jwtDecode.js:11:23:11:47 | req.hea ... ization |
+| jwtDecode.js:11:23:11:47 | req.hea ... ization |
+| jwtDecode.js:15:16:15:24 | UserToken |
+| jwtDecode.js:15:16:15:24 | UserToken |
+| jwtSimple.js:10:11:10:47 | UserToken |
+| jwtSimple.js:10:23:10:47 | req.hea ... ization |
+| jwtSimple.js:10:23:10:47 | req.hea ... ization |
+| jwtSimple.js:13:23:13:31 | UserToken |
+| jwtSimple.js:13:23:13:31 | UserToken |
+| jwtSimple.js:17:11:17:47 | UserToken |
+| jwtSimple.js:17:23:17:47 | req.hea ... ization |
+| jwtSimple.js:17:23:17:47 | req.hea ... ization |
+| jwtSimple.js:20:23:20:31 | UserToken |
+| jwtSimple.js:20:23:20:31 | UserToken |
+| jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:25:11:25:47 | UserToken |
+| jwtSimple.js:25:11:25:47 | UserToken |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:29:23:29:31 | UserToken |
+| jwtSimple.js:29:23:29:31 | UserToken |
+edges
+| JsonWebToken.js:10:11:10:47 | UserToken | JsonWebToken.js:13:28:13:36 | UserToken |
+| JsonWebToken.js:10:11:10:47 | UserToken | JsonWebToken.js:13:28:13:36 | UserToken |
+| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:11:10:47 | UserToken |
+| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:11:10:47 | UserToken |
+| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:20:28:20:36 | UserToken |
+| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:20:28:20:36 | UserToken |
+| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:11:17:47 | UserToken |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:11:17:47 | UserToken |
+| JsonWebToken.js:25:11:25:47 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:25:11:25:47 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:25:23:25:47 | req.hea ... ization | JsonWebToken.js:25:11:25:47 | UserToken |
+| JsonWebToken.js:25:23:25:47 | req.hea ... ization | JsonWebToken.js:25:11:25:47 | UserToken |
+| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:35:28:35:36 | UserToken |
+| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:35:28:35:36 | UserToken |
+| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
+| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
+| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
+| jose.js:11:11:11:47 | UserToken | jose.js:13:20:13:28 | UserToken |
+| jose.js:11:11:11:47 | UserToken | jose.js:13:20:13:28 | UserToken |
+| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:11:11:47 | UserToken |
+| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:11:11:47 | UserToken |
+| jose.js:18:11:18:47 | UserToken | jose.js:20:26:20:34 | UserToken |
+| jose.js:18:11:18:47 | UserToken | jose.js:20:26:20:34 | UserToken |
+| jose.js:18:23:18:47 | req.hea ... ization | jose.js:18:11:18:47 | UserToken |
+| jose.js:18:23:18:47 | req.hea ... ization | jose.js:18:11:18:47 | UserToken |
+| jose.js:24:11:24:47 | UserToken | jose.js:26:20:26:28 | UserToken |
+| jose.js:24:11:24:47 | UserToken | jose.js:26:20:26:28 | UserToken |
+| jose.js:24:11:24:47 | UserToken | jose.js:27:26:27:34 | UserToken |
+| jose.js:24:11:24:47 | UserToken | jose.js:27:26:27:34 | UserToken |
+| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
+| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
+| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
+| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
+| jwtDecode.js:11:11:11:47 | UserToken | jwtDecode.js:15:16:15:24 | UserToken |
+| jwtDecode.js:11:11:11:47 | UserToken | jwtDecode.js:15:16:15:24 | UserToken |
+| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:11:11:47 | UserToken |
+| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:11:11:47 | UserToken |
+| jwtSimple.js:10:11:10:47 | UserToken | jwtSimple.js:13:23:13:31 | UserToken |
+| jwtSimple.js:10:11:10:47 | UserToken | jwtSimple.js:13:23:13:31 | UserToken |
+| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:11:10:47 | UserToken |
+| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:11:10:47 | UserToken |
+| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:20:23:20:31 | UserToken |
+| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:20:23:20:31 | UserToken |
+| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:17:23:17:47 | req.hea ... ization | jwtSimple.js:17:11:17:47 | UserToken |
+| jwtSimple.js:17:23:17:47 | req.hea ... ization | jwtSimple.js:17:11:17:47 | UserToken |
+| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
+| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
+#select
+| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:13:28:13:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:13:28:13:36 | UserToken | without signature verification |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:20:28:20:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:20:28:20:36 | UserToken | without signature verification |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:21:28:21:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:21:28:21:36 | UserToken | without signature verification |
+| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:23:11:47 | req.hea ... ization | jose.js:13:20:13:28 | UserToken | Decoding JWT $@. | jose.js:13:20:13:28 | UserToken | without signature verification |
+| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:15:16:15:24 | UserToken | Decoding JWT $@. | jwtDecode.js:15:16:15:24 | UserToken | without signature verification |
+| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:13:23:13:31 | UserToken | Decoding JWT $@. | jwtSimple.js:13:23:13:31 | UserToken | without signature verification |
--- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
--- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js
@@ -0,0 +1,32 @@
+const express = require('express')
+const app = express()
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+app.get('/jose1', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // no signature verification
+    jose.decodeJwt(UserToken) // NOT OK
+})
+
+
+app.get('/jose2', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // with signature verification
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
+})
+
+app.get('/jose3', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // first without signature verification then with signature verification for same UserToken
+    jose.decodeJwt(UserToken)  // OK
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js
@@ -0,0 +1,20 @@
+const express = require('express')
+const app = express()
+const jwt_decode = require('jwt-decode');
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+app.get('/jwtDecode', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-decode
+    // no signature verification
+    jwt_decode(UserToken) // NOT OK
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js
+++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js
@@ -0,0 +1,34 @@
+const express = require('express')
+const app = express()
+const jwt_simple = require('jwt-simple');
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+app.get('/jwtSimple1', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // no signature verification
+    jwt_simple.decode(UserToken, getSecret(), true); // NOT OK
+})
+
+app.get('/jwtSimple2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: all with with signature verification
+    jwt_simple.decode(UserToken, getSecret(), false); // OK
+    jwt_simple.decode(UserToken, getSecret()); // OK
+})
+
+app.get('/jwtSimple3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwt_simple.decode(UserToken, getSecret(), true); // OK
+    jwt_simple.decode(UserToken, getSecret()); // OK
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
+++ b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
@@ -0,0 +1,50 @@
+nodes
+| apollo-test.js:8:9:8:59 | user_origin |
+| apollo-test.js:8:23:8:46 | url.par ... , true) |
+| apollo-test.js:8:23:8:52 | url.par ... ).query |
+| apollo-test.js:8:23:8:59 | url.par ... .origin |
+| apollo-test.js:8:33:8:39 | req.url |
+| apollo-test.js:8:33:8:39 | req.url |
+| apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:21:25:21:28 | null |
+| apollo-test.js:21:25:21:28 | null |
+| apollo-test.js:21:25:21:28 | null |
+| apollo-test.js:26:25:26:35 | user_origin |
+| apollo-test.js:26:25:26:35 | user_origin |
+| express-test.js:10:9:10:59 | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) |
+| express-test.js:10:23:10:52 | url.par ... ).query |
+| express-test.js:10:23:10:59 | url.par ... .origin |
+| express-test.js:10:33:10:39 | req.url |
+| express-test.js:10:33:10:39 | req.url |
+| express-test.js:26:17:26:19 | '*' |
+| express-test.js:26:17:26:19 | '*' |
+| express-test.js:26:17:26:19 | '*' |
+| express-test.js:33:17:33:27 | user_origin |
+| express-test.js:33:17:33:27 | user_origin |
+edges
+| apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin |
+| apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | apollo-test.js:8:23:8:52 | url.par ... ).query |
+| apollo-test.js:8:23:8:52 | url.par ... ).query | apollo-test.js:8:23:8:59 | url.par ... .origin |
+| apollo-test.js:8:23:8:59 | url.par ... .origin | apollo-test.js:8:9:8:59 | user_origin |
+| apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) |
+| apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) |
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:23:10:52 | url.par ... ).query |
+| express-test.js:10:23:10:52 | url.par ... ).query | express-test.js:10:23:10:59 | url.par ... .origin |
+| express-test.js:10:23:10:59 | url.par ... .origin | express-test.js:10:9:10:59 | user_origin |
+| express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) |
+| express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' |
+#select
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |
--- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref
@@ -0,0 +1 @@
+./experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
--- a/javascript/ql/test/experimental/Security/CWE-942/apollo-test.js
+++ b/javascript/ql/test/experimental/Security/CWE-942/apollo-test.js
@@ -0,0 +1,28 @@
+import { ApolloServer } from 'apollo-server';
+var https = require('https'),
+    url = require('url');
+
+var server = https.createServer(function () { });
+
+server.on('request', function (req, res) {
+    let user_origin = url.parse(req.url, true).query.origin;
+    // BAD: CORS too permissive
+    const server_1 = new ApolloServer({
+        cors: { origin: true }
+    });
+
+    // GOOD: restrictive CORS 
+    const server_2 = new ApolloServer({
+        cors: false
+    });
+
+    // BAD: CORS too permissive 
+    const server_3 = new ApolloServer({
+        cors: { origin: null }
+    });
+
+    // BAD: CORS is controlled by user
+    const server_4 = new ApolloServer({
+        cors: { origin: user_origin }
+    });
+});
--- a/javascript/ql/test/experimental/Security/CWE-942/express-test.js
+++ b/javascript/ql/test/experimental/Security/CWE-942/express-test.js
@@ -0,0 +1,36 @@
+const cors = require('cors');
+var express = require('express');
+
+var https = require('https'),
+    url = require('url');
+
+var server = https.createServer(function () { });
+
+server.on('request', function (req, res) {
+    let user_origin = url.parse(req.url, true).query.origin;
+
+    // BAD: CORS too permissive, default value is *
+    var app1 = express();
+    app1.use(cors());
+
+    // GOOD: restrictive CORS 
+    var app2 = express();
+    var corsOptions2 = {
+        origin: ["https://example1.com", "https://example2.com"],
+    };
+    app2.use(cors(corsOptions2));
+
+    // BAD: CORS too permissive 
+    var app3 = express();
+    var corsOption3 = {
+        origin: '*'
+    };
+    app3.use(cors(corsOption3));
+
+    // BAD: CORS is controlled by user
+    var app4 = express();
+    var corsOption4 = {
+        origin: user_origin
+    };
+    app4.use(cors(corsOption4));
+});
--- a/javascript/ql/test/library-tests/Arrays/DataFlow.expected
+++ b/javascript/ql/test/library-tests/Arrays/DataFlow.expected
@@ -3,20 +3,22 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:15:27:15:27 | e |
 | arrays.js:2:16:2:23 | "source" | arrays.js:16:23:16:23 | e |
 | arrays.js:2:16:2:23 | "source" | arrays.js:20:8:20:16 | arr.pop() |
-| arrays.js:2:16:2:23 | "source" | arrays.js:52:10:52:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:56:10:56:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:60:10:60:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:66:10:66:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:71:10:71:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:74:8:74:29 | arr.fin ... llback) |
-| arrays.js:2:16:2:23 | "source" | arrays.js:77:8:77:35 | arrayFi ... llback) |
-| arrays.js:2:16:2:23 | "source" | arrays.js:81:10:81:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:84:8:84:17 | arr.at(-1) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:39:8:39:24 | arr4_spread.pop() |
+| arrays.js:2:16:2:23 | "source" | arrays.js:61:10:61:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:65:10:65:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:69:10:69:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:75:10:75:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:80:10:80:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:83:8:83:29 | arr.fin ... llback) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:86:8:86:35 | arrayFi ... llback) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:90:10:90:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:93:8:93:17 | arr.at(-1) |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
 | arrays.js:29:21:29:28 | "source" | arrays.js:30:8:30:17 | arr4.pop() |
-| arrays.js:29:21:29:28 | "source" | arrays.js:33:8:33:17 | arr5.pop() |
-| arrays.js:29:21:29:28 | "source" | arrays.js:35:8:35:26 | arr5.slice(2).pop() |
-| arrays.js:29:21:29:28 | "source" | arrays.js:41:8:41:17 | arr6.pop() |
-| arrays.js:44:4:44:11 | "source" | arrays.js:45:10:45:18 | ary.pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:42:8:42:17 | arr5.pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:44:8:44:26 | arr5.slice(2).pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:50:8:50:17 | arr6.pop() |
+| arrays.js:33:37:33:44 | "source" | arrays.js:35:8:35:25 | arr4_variant.pop() |
+| arrays.js:53:4:53:11 | "source" | arrays.js:54:10:54:18 | ary.pop() |
--- a/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
+++ b/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
@@ -3,24 +3,26 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:15:27:15:27 | e |
 | arrays.js:2:16:2:23 | "source" | arrays.js:16:23:16:23 | e |
 | arrays.js:2:16:2:23 | "source" | arrays.js:20:8:20:16 | arr.pop() |
-| arrays.js:2:16:2:23 | "source" | arrays.js:49:8:49:13 | arr[0] |
-| arrays.js:2:16:2:23 | "source" | arrays.js:52:10:52:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:56:10:56:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:60:10:60:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:66:10:66:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:71:10:71:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:74:8:74:29 | arr.fin ... llback) |
-| arrays.js:2:16:2:23 | "source" | arrays.js:77:8:77:35 | arrayFi ... llback) |
-| arrays.js:2:16:2:23 | "source" | arrays.js:81:10:81:10 | x |
-| arrays.js:2:16:2:23 | "source" | arrays.js:84:8:84:17 | arr.at(-1) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:39:8:39:24 | arr4_spread.pop() |
+| arrays.js:2:16:2:23 | "source" | arrays.js:58:8:58:13 | arr[0] |
+| arrays.js:2:16:2:23 | "source" | arrays.js:61:10:61:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:65:10:65:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:69:10:69:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:75:10:75:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:80:10:80:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:83:8:83:29 | arr.fin ... llback) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:86:8:86:35 | arrayFi ... llback) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:90:10:90:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:93:8:93:17 | arr.at(-1) |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
 | arrays.js:29:21:29:28 | "source" | arrays.js:30:8:30:17 | arr4.pop() |
-| arrays.js:29:21:29:28 | "source" | arrays.js:33:8:33:17 | arr5.pop() |
-| arrays.js:29:21:29:28 | "source" | arrays.js:35:8:35:26 | arr5.slice(2).pop() |
-| arrays.js:29:21:29:28 | "source" | arrays.js:41:8:41:17 | arr6.pop() |
-| arrays.js:44:4:44:11 | "source" | arrays.js:45:10:45:18 | ary.pop() |
-| arrays.js:44:4:44:11 | "source" | arrays.js:46:10:46:12 | ary |
-| arrays.js:86:9:86:16 | "source" | arrays.js:86:8:86:34 | ["sourc ... ) => x) |
-| arrays.js:87:9:87:16 | "source" | arrays.js:87:8:87:36 | ["sourc ... => !!x) |
+| arrays.js:29:21:29:28 | "source" | arrays.js:42:8:42:17 | arr5.pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:44:8:44:26 | arr5.slice(2).pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:50:8:50:17 | arr6.pop() |
+| arrays.js:33:37:33:44 | "source" | arrays.js:35:8:35:25 | arr4_variant.pop() |
+| arrays.js:53:4:53:11 | "source" | arrays.js:54:10:54:18 | ary.pop() |
+| arrays.js:53:4:53:11 | "source" | arrays.js:55:10:55:12 | ary |
+| arrays.js:95:9:95:16 | "source" | arrays.js:95:8:95:34 | ["sourc ... ) => x) |
+| arrays.js:96:9:96:16 | "source" | arrays.js:96:8:96:36 | ["sourc ... => !!x) |
--- a/javascript/ql/test/library-tests/Arrays/arrays.js
+++ b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -29,6 +29,15 @@
  arr4.splice(0, 0, "source");
  sink(arr4.pop()); // NOT OK

+  var arr4_variant = [];
+  arr4_variant.splice(0, 0, "safe", "source");
+  arr4_variant.pop();
+  sink(arr4_variant.pop()); // NOT OK
+
+  var arr4_spread = [];
+  arr4_spread.splice(0, 0, ...arr);
+  sink(arr4_spread.pop()); // NOT OK
+
  var arr5 = [].concat(arr4);
  sink(arr5.pop()); // NOT OK

@@ -46,7 +55,7 @@
    sink(ary); // OK - its the array itself, not an element.
  });

-  sink(arr[0]); // OK - tuple like usage. 
+  sink(arr[0]); // OK - tuple like usage.

  for (const x of arr) {
    sink(x); // NOT OK
@@ -59,7 +68,7 @@
  for (const x of [...arr]) {
    sink(x); // NOT OK
  }
-  
+
  var arr7 = [];
  arr7.push(...arr);
  for (const x of arr7) {
--- a/javascript/ql/test/library-tests/Arrays/printAst.expected
+++ b/javascript/ql/test/library-tests/Arrays/printAst.expected
--- a/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
+++ b/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
@@ -126,6 +126,9 @@ nodes
 | file://:0:0:0:0 | (Arguments) | semmle.label | (Arguments) |
 | file://:0:0:0:0 | (Arguments) | semmle.label | (Arguments) |
 | file://:0:0:0:0 | (Arguments) | semmle.label | (Arguments) |
+| file://:0:0:0:0 | (Arguments) | semmle.label | (Arguments) |
+| file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
+| file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
@@ -1817,8 +1820,65 @@ nodes
 | tst.ts:494:24:494:24 | [Literal] 0 | semmle.label | [Literal] 0 |
 | tst.ts:494:28:494:33 | [Literal] "even" | semmle.label | [Literal] "even" |
 | tst.ts:494:36:494:40 | [Literal] "odd" | semmle.label | [Literal] "odd" |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | semmle.label | [NamespaceDeclaration] module ... } } } |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | semmle.order | 91 |
+| tst.ts:498:8:498:11 | [VarDecl] TS55 | semmle.label | [VarDecl] TS55 |
+| tst.ts:499:3:500:40 | [DeclStmt] const strings = ... | semmle.label | [DeclStmt] const strings = ... |
+| tst.ts:499:9:499:15 | [VarDecl] strings | semmle.label | [VarDecl] strings |
+| tst.ts:499:9:500:39 | [VariableDeclarator] strings ... tring") | semmle.label | [VariableDeclarator] strings ... tring") |
+| tst.ts:499:19:499:32 | [ParExpr] (["foo", 123]) | semmle.label | [ParExpr] (["foo", 123]) |
+| tst.ts:499:19:500:11 | [DotExpr] (["foo" ... .filter | semmle.label | [DotExpr] (["foo" ... .filter |
+| tst.ts:499:19:500:39 | [MethodCallExpr] (["foo" ... tring") | semmle.label | [MethodCallExpr] (["foo" ... tring") |
+| tst.ts:499:20:499:31 | [ArrayExpr] ["foo", 123] | semmle.label | [ArrayExpr] ["foo", 123] |
+| tst.ts:499:21:499:25 | [Literal] "foo" | semmle.label | [Literal] "foo" |
+| tst.ts:499:28:499:30 | [Literal] 123 | semmle.label | [Literal] 123 |
+| tst.ts:500:6:500:11 | [Label] filter | semmle.label | [Label] filter |
+| tst.ts:500:13:500:13 | [SimpleParameter] s | semmle.label | [SimpleParameter] s |
+| tst.ts:500:13:500:38 | [ArrowFunctionExpr] s => ty ... string" | semmle.label | [ArrowFunctionExpr] s => ty ... string" |
+| tst.ts:500:18:500:25 | [UnaryExpr] typeof s | semmle.label | [UnaryExpr] typeof s |
+| tst.ts:500:18:500:38 | [BinaryExpr] typeof ... string" | semmle.label | [BinaryExpr] typeof ... string" |
+| tst.ts:500:25:500:25 | [VarRef] s | semmle.label | [VarRef] s |
+| tst.ts:500:31:500:38 | [Literal] "string" | semmle.label | [Literal] "string" |
+| tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | semmle.label | [ForOfStmt] for (co ... 5.4 } |
+| tst.ts:502:8:502:16 | [DeclStmt] const str = ... | semmle.label | [DeclStmt] const str = ... |
+| tst.ts:502:14:502:16 | [VarDecl] str | semmle.label | [VarDecl] str |
+| tst.ts:502:14:502:16 | [VariableDeclarator] str | semmle.label | [VariableDeclarator] str |
+| tst.ts:502:21:502:27 | [VarRef] strings | semmle.label | [VarRef] strings |
+| tst.ts:502:30:504:3 | [BlockStmt] { s ... 5.4 } | semmle.label | [BlockStmt] { s ... 5.4 } |
+| tst.ts:503:5:503:7 | [VarRef] str | semmle.label | [VarRef] str |
+| tst.ts:503:5:503:19 | [DotExpr] str.toLowerCase | semmle.label | [DotExpr] str.toLowerCase |
+| tst.ts:503:5:503:21 | [MethodCallExpr] str.toLowerCase() | semmle.label | [MethodCallExpr] str.toLowerCase() |
+| tst.ts:503:5:503:22 | [ExprStmt] str.toLowerCase(); | semmle.label | [ExprStmt] str.toLowerCase(); |
+| tst.ts:503:9:503:19 | [Label] toLowerCase | semmle.label | [Label] toLowerCase |
+| tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | semmle.label | [FunctionDeclStmt] functio ... } } |
+| tst.ts:506:12:506:13 | [VarDecl] f1 | semmle.label | [VarDecl] f1 |
+| tst.ts:506:15:506:17 | [SimpleParameter] obj | semmle.label | [SimpleParameter] obj |
+| tst.ts:506:20:506:25 | [LocalTypeAccess] Record | semmle.label | [LocalTypeAccess] Record |
+| tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | semmle.label | [GenericTypeExpr] Record< ... nknown> |
+| tst.ts:506:27:506:32 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
+| tst.ts:506:35:506:41 | [KeywordTypeExpr] unknown | semmle.label | [KeywordTypeExpr] unknown |
+| tst.ts:506:45:506:47 | [SimpleParameter] key | semmle.label | [SimpleParameter] key |
+| tst.ts:506:50:506:55 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
+| tst.ts:506:58:510:3 | [BlockStmt] { i ... } } | semmle.label | [BlockStmt] { i ... } } |
+| tst.ts:507:5:509:5 | [IfStmt] if (typ ... r } | semmle.label | [IfStmt] if (typ ... r } |
+| tst.ts:507:9:507:23 | [UnaryExpr] typeof obj[key] | semmle.label | [UnaryExpr] typeof obj[key] |
+| tst.ts:507:9:507:36 | [BinaryExpr] typeof ... string" | semmle.label | [BinaryExpr] typeof ... string" |
+| tst.ts:507:16:507:18 | [VarRef] obj | semmle.label | [VarRef] obj |
+| tst.ts:507:16:507:23 | [IndexExpr] obj[key] | semmle.label | [IndexExpr] obj[key] |
+| tst.ts:507:20:507:22 | [VarRef] key | semmle.label | [VarRef] key |
+| tst.ts:507:29:507:36 | [Literal] "string" | semmle.label | [Literal] "string" |
+| tst.ts:507:39:509:5 | [BlockStmt] { ... r } | semmle.label | [BlockStmt] { ... r } |
+| tst.ts:508:7:508:39 | [DeclStmt] var str = ... | semmle.label | [DeclStmt] var str = ... |
+| tst.ts:508:11:508:13 | [VarDecl] str | semmle.label | [VarDecl] str |
+| tst.ts:508:11:508:38 | [VariableDeclarator] str = o ... rCase() | semmle.label | [VariableDeclarator] str = o ... rCase() |
+| tst.ts:508:17:508:19 | [VarRef] obj | semmle.label | [VarRef] obj |
+| tst.ts:508:17:508:24 | [IndexExpr] obj[key] | semmle.label | [IndexExpr] obj[key] |
+| tst.ts:508:17:508:36 | [DotExpr] obj[key].toUpperCase | semmle.label | [DotExpr] obj[key].toUpperCase |
+| tst.ts:508:17:508:38 | [MethodCallExpr] obj[key ... rCase() | semmle.label | [MethodCallExpr] obj[key ... rCase() |
+| tst.ts:508:21:508:23 | [VarRef] key | semmle.label | [VarRef] key |
+| tst.ts:508:26:508:36 | [Label] toUpperCase | semmle.label | [Label] toUpperCase |
 | tstModuleCJS.cts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | semmle.label | [ExportDeclaration] export ... 'b'; } |
-| tstModuleCJS.cts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | semmle.order | 91 |
+| tstModuleCJS.cts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | semmle.order | 92 |
 | tstModuleCJS.cts:1:8:3:1 | [FunctionDeclStmt] functio ... 'b'; } | semmle.label | [FunctionDeclStmt] functio ... 'b'; } |
 | tstModuleCJS.cts:1:17:1:28 | [VarDecl] tstModuleCJS | semmle.label | [VarDecl] tstModuleCJS |
 | tstModuleCJS.cts:1:33:1:35 | [LiteralTypeExpr] 'a' | semmle.label | [LiteralTypeExpr] 'a' |
@@ -1836,7 +1896,7 @@ nodes
 | tstModuleCJS.cts:2:34:2:36 | [Literal] 'a' | semmle.label | [Literal] 'a' |
 | tstModuleCJS.cts:2:40:2:42 | [Literal] 'b' | semmle.label | [Literal] 'b' |
 | tstModuleES.mts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | semmle.label | [ExportDeclaration] export ... 'b'; } |
-| tstModuleES.mts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | semmle.order | 92 |
+| tstModuleES.mts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | semmle.order | 93 |
 | tstModuleES.mts:1:16:3:1 | [FunctionDeclStmt] functio ... 'b'; } | semmle.label | [FunctionDeclStmt] functio ... 'b'; } |
 | tstModuleES.mts:1:25:1:35 | [VarDecl] tstModuleES | semmle.label | [VarDecl] tstModuleES |
 | tstModuleES.mts:1:40:1:42 | [LiteralTypeExpr] 'a' | semmle.label | [LiteralTypeExpr] 'a' |
@@ -1854,7 +1914,7 @@ nodes
 | tstModuleES.mts:2:34:2:36 | [Literal] 'a' | semmle.label | [Literal] 'a' |
 | tstModuleES.mts:2:40:2:42 | [Literal] 'b' | semmle.label | [Literal] 'b' |
 | tstSuffixA.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.label | [ExportDeclaration] export ... .ts'; } |
-| tstSuffixA.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.order | 93 |
+| tstSuffixA.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.order | 94 |
 | tstSuffixA.ts:1:8:3:1 | [FunctionDeclStmt] functio ... .ts'; } | semmle.label | [FunctionDeclStmt] functio ... .ts'; } |
 | tstSuffixA.ts:1:17:1:28 | [VarDecl] resolvedFile | semmle.label | [VarDecl] resolvedFile |
 | tstSuffixA.ts:1:33:1:47 | [LiteralTypeExpr] 'tstSuffixA.ts' | semmle.label | [LiteralTypeExpr] 'tstSuffixA.ts' |
@@ -1862,7 +1922,7 @@ nodes
 | tstSuffixA.ts:2:5:2:27 | [ReturnStmt] return ... xA.ts'; | semmle.label | [ReturnStmt] return ... xA.ts'; |
 | tstSuffixA.ts:2:12:2:26 | [Literal] 'tstSuffixA.ts' | semmle.label | [Literal] 'tstSuffixA.ts' |
 | tstSuffixB.ios.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.label | [ExportDeclaration] export ... .ts'; } |
-| tstSuffixB.ios.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.order | 94 |
+| tstSuffixB.ios.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.order | 95 |
 | tstSuffixB.ios.ts:1:8:3:1 | [FunctionDeclStmt] functio ... .ts'; } | semmle.label | [FunctionDeclStmt] functio ... .ts'; } |
 | tstSuffixB.ios.ts:1:17:1:28 | [VarDecl] resolvedFile | semmle.label | [VarDecl] resolvedFile |
 | tstSuffixB.ios.ts:1:33:1:51 | [LiteralTypeExpr] 'tstSuffixB.ios.ts' | semmle.label | [LiteralTypeExpr] 'tstSuffixB.ios.ts' |
@@ -1870,7 +1930,7 @@ nodes
 | tstSuffixB.ios.ts:2:5:2:31 | [ReturnStmt] return ... os.ts'; | semmle.label | [ReturnStmt] return ... os.ts'; |
 | tstSuffixB.ios.ts:2:12:2:30 | [Literal] 'tstSuffixB.ios.ts' | semmle.label | [Literal] 'tstSuffixB.ios.ts' |
 | tstSuffixB.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.label | [ExportDeclaration] export ... .ts'; } |
-| tstSuffixB.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.order | 95 |
+| tstSuffixB.ts:1:1:3:1 | [ExportDeclaration] export ... .ts'; } | semmle.order | 96 |
 | tstSuffixB.ts:1:8:3:1 | [FunctionDeclStmt] functio ... .ts'; } | semmle.label | [FunctionDeclStmt] functio ... .ts'; } |
 | tstSuffixB.ts:1:17:1:28 | [VarDecl] resolvedFile | semmle.label | [VarDecl] resolvedFile |
 | tstSuffixB.ts:1:33:1:47 | [LiteralTypeExpr] 'tstSuffixB.ts' | semmle.label | [LiteralTypeExpr] 'tstSuffixB.ts' |
@@ -1878,16 +1938,16 @@ nodes
 | tstSuffixB.ts:2:5:2:27 | [ReturnStmt] return ... xB.ts'; | semmle.label | [ReturnStmt] return ... xB.ts'; |
 | tstSuffixB.ts:2:12:2:26 | [Literal] 'tstSuffixB.ts' | semmle.label | [Literal] 'tstSuffixB.ts' |
 | type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type B = boolean; |
-| type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.order | 96 |
+| type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.order | 97 |
 | type_alias.ts:1:6:1:6 | [Identifier] B | semmle.label | [Identifier] B |
 | type_alias.ts:1:10:1:16 | [KeywordTypeExpr] boolean | semmle.label | [KeywordTypeExpr] boolean |
 | type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.label | [DeclStmt] var b = ... |
-| type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.order | 97 |
+| type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.order | 98 |
 | type_alias.ts:3:5:3:5 | [VarDecl] b | semmle.label | [VarDecl] b |
 | type_alias.ts:3:5:3:8 | [VariableDeclarator] b: B | semmle.label | [VariableDeclarator] b: B |
 | type_alias.ts:3:8:3:8 | [LocalTypeAccess] B | semmle.label | [LocalTypeAccess] B |
 | type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; |
-| type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.order | 98 |
+| type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.order | 99 |
 | type_alias.ts:5:6:5:17 | [Identifier] ValueOrArray | semmle.label | [Identifier] ValueOrArray |
 | type_alias.ts:5:19:5:19 | [Identifier] T | semmle.label | [Identifier] T |
 | type_alias.ts:5:19:5:19 | [TypeParameter] T | semmle.label | [TypeParameter] T |
@@ -1899,14 +1959,14 @@ nodes
 | type_alias.ts:5:34:5:48 | [GenericTypeExpr] ValueOrArray<T> | semmle.label | [GenericTypeExpr] ValueOrArray<T> |
 | type_alias.ts:5:47:5:47 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.label | [DeclStmt] var c = ... |
-| type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.order | 99 |
+| type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.order | 100 |
 | type_alias.ts:7:5:7:5 | [VarDecl] c | semmle.label | [VarDecl] c |
 | type_alias.ts:7:5:7:27 | [VariableDeclarator] c: Valu ... number> | semmle.label | [VariableDeclarator] c: Valu ... number> |
 | type_alias.ts:7:8:7:19 | [LocalTypeAccess] ValueOrArray | semmle.label | [LocalTypeAccess] ValueOrArray |
 | type_alias.ts:7:8:7:27 | [GenericTypeExpr] ValueOrArray<number> | semmle.label | [GenericTypeExpr] ValueOrArray<number> |
 | type_alias.ts:7:21:7:26 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; |
-| type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.order | 100 |
+| type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.order | 101 |
 | type_alias.ts:9:6:9:9 | [Identifier] Json | semmle.label | [Identifier] Json |
 | type_alias.ts:10:5:15:12 | [UnionTypeExpr] \| strin ... Json[] | semmle.label | [UnionTypeExpr] \| strin ... Json[] |
 | type_alias.ts:10:7:10:12 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -1922,12 +1982,12 @@ nodes
 | type_alias.ts:15:7:15:10 | [LocalTypeAccess] Json | semmle.label | [LocalTypeAccess] Json |
 | type_alias.ts:15:7:15:12 | [ArrayTypeExpr] Json[] | semmle.label | [ArrayTypeExpr] Json[] |
 | type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.label | [DeclStmt] var json = ... |
-| type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.order | 101 |
+| type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.order | 102 |
 | type_alias.ts:17:5:17:8 | [VarDecl] json | semmle.label | [VarDecl] json |
 | type_alias.ts:17:5:17:14 | [VariableDeclarator] json: Json | semmle.label | [VariableDeclarator] json: Json |
 | type_alias.ts:17:11:17:14 | [LocalTypeAccess] Json | semmle.label | [LocalTypeAccess] Json |
 | type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; |
-| type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.order | 102 |
+| type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.order | 103 |
 | type_alias.ts:19:6:19:16 | [Identifier] VirtualNode | semmle.label | [Identifier] VirtualNode |
 | type_alias.ts:20:5:21:56 | [UnionTypeExpr] \| strin ... Node[]] | semmle.label | [UnionTypeExpr] \| strin ... Node[]] |
 | type_alias.ts:20:7:20:12 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -1943,7 +2003,7 @@ nodes
 | type_alias.ts:21:43:21:53 | [LocalTypeAccess] VirtualNode | semmle.label | [LocalTypeAccess] VirtualNode |
 | type_alias.ts:21:43:21:55 | [ArrayTypeExpr] VirtualNode[] | semmle.label | [ArrayTypeExpr] VirtualNode[] |
 | type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.label | [DeclStmt] const myNode = ... |
-| type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.order | 103 |
+| type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.order | 104 |
 | type_alias.ts:23:7:23:12 | [VarDecl] myNode | semmle.label | [VarDecl] myNode |
 | type_alias.ts:23:7:27:5 | [VariableDeclarator] myNode: ... ] ] | semmle.label | [VariableDeclarator] myNode: ... ] ] |
 | type_alias.ts:23:15:23:25 | [LocalTypeAccess] VirtualNode | semmle.label | [LocalTypeAccess] VirtualNode |
@@ -1968,12 +2028,12 @@ nodes
 | type_alias.ts:26:23:26:36 | [Literal] "second-child" | semmle.label | [Literal] "second-child" |
 | type_alias.ts:26:41:26:62 | [Literal] "I'm the second child" | semmle.label | [Literal] "I'm the second child" |
 | type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.label | [ImportDeclaration] import ... dummy"; |
-| type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 104 |
+| type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 105 |
 | type_definition_objects.ts:1:8:1:17 | [ImportSpecifier] * as dummy | semmle.label | [ImportSpecifier] * as dummy |
 | type_definition_objects.ts:1:13:1:17 | [VarDecl] dummy | semmle.label | [VarDecl] dummy |
 | type_definition_objects.ts:1:24:1:32 | [Literal] "./dummy" | semmle.label | [Literal] "./dummy" |
 | type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.label | [ExportDeclaration] export class C {} |
-| type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.order | 105 |
+| type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.order | 106 |
 | type_definition_objects.ts:3:8:3:17 | [ClassDefinition,TypeDefinition] class C {} | semmle.label | [ClassDefinition,TypeDefinition] class C {} |
 | type_definition_objects.ts:3:14:3:14 | [VarDecl] C | semmle.label | [VarDecl] C |
 | type_definition_objects.ts:3:16:3:15 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
@@ -1981,36 +2041,36 @@ nodes
 | type_definition_objects.ts:3:16:3:15 | [FunctionExpr] () {} | semmle.label | [FunctionExpr] () {} |
 | type_definition_objects.ts:3:16:3:15 | [Label] constructor | semmle.label | [Label] constructor |
 | type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.label | [DeclStmt] let classObj = ... |
-| type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.order | 106 |
+| type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.order | 107 |
 | type_definition_objects.ts:4:5:4:12 | [VarDecl] classObj | semmle.label | [VarDecl] classObj |
 | type_definition_objects.ts:4:5:4:16 | [VariableDeclarator] classObj = C | semmle.label | [VariableDeclarator] classObj = C |
 | type_definition_objects.ts:4:16:4:16 | [VarRef] C | semmle.label | [VarRef] C |
 | type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.label | [ExportDeclaration] export enum E {} |
-| type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.order | 107 |
+| type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.order | 108 |
 | type_definition_objects.ts:6:8:6:16 | [EnumDeclaration,TypeDefinition] enum E {} | semmle.label | [EnumDeclaration,TypeDefinition] enum E {} |
 | type_definition_objects.ts:6:13:6:13 | [VarDecl] E | semmle.label | [VarDecl] E |
 | type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.label | [DeclStmt] let enumObj = ... |
-| type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.order | 108 |
+| type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.order | 109 |
 | type_definition_objects.ts:7:5:7:11 | [VarDecl] enumObj | semmle.label | [VarDecl] enumObj |
 | type_definition_objects.ts:7:5:7:15 | [VariableDeclarator] enumObj = E | semmle.label | [VariableDeclarator] enumObj = E |
 | type_definition_objects.ts:7:15:7:15 | [VarRef] E | semmle.label | [VarRef] E |
 | type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.label | [ExportDeclaration] export ... e N {;} |
-| type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.order | 109 |
+| type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.order | 110 |
 | type_definition_objects.ts:9:8:9:22 | [NamespaceDeclaration] namespace N {;} | semmle.label | [NamespaceDeclaration] namespace N {;} |
 | type_definition_objects.ts:9:18:9:18 | [VarDecl] N | semmle.label | [VarDecl] N |
 | type_definition_objects.ts:9:21:9:21 | [EmptyStmt] ; | semmle.label | [EmptyStmt] ; |
 | type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.label | [DeclStmt] let namespaceObj = ... |
-| type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.order | 110 |
+| type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.order | 111 |
 | type_definition_objects.ts:10:5:10:16 | [VarDecl] namespaceObj | semmle.label | [VarDecl] namespaceObj |
 | type_definition_objects.ts:10:5:10:20 | [VariableDeclarator] namespaceObj = N | semmle.label | [VariableDeclarator] namespaceObj = N |
 | type_definition_objects.ts:10:20:10:20 | [VarRef] N | semmle.label | [VarRef] N |
 | type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.label | [ImportDeclaration] import ... dummy"; |
-| type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 111 |
+| type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 112 |
 | type_definitions.ts:1:8:1:17 | [ImportSpecifier] * as dummy | semmle.label | [ImportSpecifier] * as dummy |
 | type_definitions.ts:1:13:1:17 | [VarDecl] dummy | semmle.label | [VarDecl] dummy |
 | type_definitions.ts:1:24:1:32 | [Literal] "./dummy" | semmle.label | [Literal] "./dummy" |
 | type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.label | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } |
-| type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.order | 112 |
+| type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.order | 113 |
 | type_definitions.ts:3:11:3:11 | [Identifier] I | semmle.label | [Identifier] I |
 | type_definitions.ts:3:13:3:13 | [Identifier] S | semmle.label | [Identifier] S |
 | type_definitions.ts:3:13:3:13 | [TypeParameter] S | semmle.label | [TypeParameter] S |
@@ -2018,14 +2078,14 @@ nodes
 | type_definitions.ts:4:3:4:7 | [FieldDeclaration] x: S; | semmle.label | [FieldDeclaration] x: S; |
 | type_definitions.ts:4:6:4:6 | [LocalTypeAccess] S | semmle.label | [LocalTypeAccess] S |
 | type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.label | [DeclStmt] let i = ... |
-| type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.order | 113 |
+| type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.order | 114 |
 | type_definitions.ts:6:5:6:5 | [VarDecl] i | semmle.label | [VarDecl] i |
 | type_definitions.ts:6:5:6:16 | [VariableDeclarator] i: I<number> | semmle.label | [VariableDeclarator] i: I<number> |
 | type_definitions.ts:6:8:6:8 | [LocalTypeAccess] I | semmle.label | [LocalTypeAccess] I |
 | type_definitions.ts:6:8:6:16 | [GenericTypeExpr] I<number> | semmle.label | [GenericTypeExpr] I<number> |
 | type_definitions.ts:6:10:6:15 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.label | [ClassDefinition,TypeDefinition] class C ... x: T } |
-| type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.order | 114 |
+| type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.order | 115 |
 | type_definitions.ts:8:7:8:7 | [VarDecl] C | semmle.label | [VarDecl] C |
 | type_definitions.ts:8:8:8:7 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
 | type_definitions.ts:8:8:8:7 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | [ClassInitializedMember,ConstructorDefinition] constructor() {} |
@@ -2037,14 +2097,14 @@ nodes
 | type_definitions.ts:9:3:9:6 | [FieldDeclaration] x: T | semmle.label | [FieldDeclaration] x: T |
 | type_definitions.ts:9:6:9:6 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.label | [DeclStmt] let c = ... |
-| type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.order | 115 |
+| type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.order | 116 |
 | type_definitions.ts:11:5:11:5 | [VarDecl] c | semmle.label | [VarDecl] c |
 | type_definitions.ts:11:5:11:16 | [VariableDeclarator] c: C<number> | semmle.label | [VariableDeclarator] c: C<number> |
 | type_definitions.ts:11:8:11:8 | [LocalTypeAccess] C | semmle.label | [LocalTypeAccess] C |
 | type_definitions.ts:11:8:11:16 | [GenericTypeExpr] C<number> | semmle.label | [GenericTypeExpr] C<number> |
 | type_definitions.ts:11:10:11:15 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.label | [EnumDeclaration,TypeDefinition] enum Co ... blue } |
-| type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.order | 116 |
+| type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.order | 117 |
 | type_definitions.ts:13:6:13:10 | [VarDecl] Color | semmle.label | [VarDecl] Color |
 | type_definitions.ts:14:3:14:5 | [EnumMember,TypeDefinition] red | semmle.label | [EnumMember,TypeDefinition] red |
 | type_definitions.ts:14:3:14:5 | [VarDecl] red | semmle.label | [VarDecl] red |
@@ -2053,29 +2113,29 @@ nodes
 | type_definitions.ts:14:15:14:18 | [EnumMember,TypeDefinition] blue | semmle.label | [EnumMember,TypeDefinition] blue |
 | type_definitions.ts:14:15:14:18 | [VarDecl] blue | semmle.label | [VarDecl] blue |
 | type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.label | [DeclStmt] let color = ... |
-| type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.order | 117 |
+| type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.order | 118 |
 | type_definitions.ts:16:5:16:9 | [VarDecl] color | semmle.label | [VarDecl] color |
 | type_definitions.ts:16:5:16:16 | [VariableDeclarator] color: Color | semmle.label | [VariableDeclarator] color: Color |
 | type_definitions.ts:16:12:16:16 | [LocalTypeAccess] Color | semmle.label | [LocalTypeAccess] Color |
 | type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.label | [EnumDeclaration,TypeDefinition] enum En ... ember } |
-| type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.order | 118 |
+| type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.order | 119 |
 | type_definitions.ts:18:6:18:22 | [VarDecl] EnumWithOneMember | semmle.label | [VarDecl] EnumWithOneMember |
 | type_definitions.ts:18:26:18:31 | [EnumMember,TypeDefinition] member | semmle.label | [EnumMember,TypeDefinition] member |
 | type_definitions.ts:18:26:18:31 | [VarDecl] member | semmle.label | [VarDecl] member |
 | type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.label | [DeclStmt] let e = ... |
-| type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.order | 119 |
+| type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.order | 120 |
 | type_definitions.ts:19:5:19:5 | [VarDecl] e | semmle.label | [VarDecl] e |
 | type_definitions.ts:19:5:19:24 | [VariableDeclarator] e: EnumWithOneMember | semmle.label | [VariableDeclarator] e: EnumWithOneMember |
 | type_definitions.ts:19:8:19:24 | [LocalTypeAccess] EnumWithOneMember | semmle.label | [LocalTypeAccess] EnumWithOneMember |
 | type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; |
-| type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.order | 120 |
+| type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.order | 121 |
 | type_definitions.ts:21:6:21:10 | [Identifier] Alias | semmle.label | [Identifier] Alias |
 | type_definitions.ts:21:12:21:12 | [Identifier] T | semmle.label | [Identifier] T |
 | type_definitions.ts:21:12:21:12 | [TypeParameter] T | semmle.label | [TypeParameter] T |
 | type_definitions.ts:21:17:21:17 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_definitions.ts:21:17:21:19 | [ArrayTypeExpr] T[] | semmle.label | [ArrayTypeExpr] T[] |
 | type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.label | [DeclStmt] let aliasForNumberArray = ... |
-| type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.order | 121 |
+| type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.order | 122 |
 | type_definitions.ts:22:5:22:23 | [VarDecl] aliasForNumberArray | semmle.label | [VarDecl] aliasForNumberArray |
 | type_definitions.ts:22:5:22:38 | [VariableDeclarator] aliasFo ... number> | semmle.label | [VariableDeclarator] aliasFo ... number> |
 | type_definitions.ts:22:26:22:30 | [LocalTypeAccess] Alias | semmle.label | [LocalTypeAccess] Alias |
@@ -2284,6 +2344,8 @@ edges
 | file://:0:0:0:0 | (Arguments) | tst.ts:493:32:493:49 | [ArrayExpr] [0, 1, 2, 3, 4, 5] | semmle.order | 0 |
 | file://:0:0:0:0 | (Arguments) | tst.ts:493:52:495:3 | [ArrowFunctionExpr] (num, i ... d"; } | semmle.label | 1 |
 | file://:0:0:0:0 | (Arguments) | tst.ts:493:52:495:3 | [ArrowFunctionExpr] (num, i ... d"; } | semmle.order | 1 |
+| file://:0:0:0:0 | (Arguments) | tst.ts:500:13:500:38 | [ArrowFunctionExpr] s => ty ... string" | semmle.label | 0 |
+| file://:0:0:0:0 | (Arguments) | tst.ts:500:13:500:38 | [ArrowFunctionExpr] s => ty ... string" | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:17:14:17 | [SimpleParameter] x | semmle.label | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:17:14:17 | [SimpleParameter] x | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:28:14:28 | [SimpleParameter] y | semmle.label | 1 |
@@ -2390,6 +2452,12 @@ edges
 | file://:0:0:0:0 | (Parameters) | tst.ts:493:53:493:55 | [SimpleParameter] num | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:493:58:493:62 | [SimpleParameter] index | semmle.label | 1 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:493:58:493:62 | [SimpleParameter] index | semmle.order | 1 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:500:13:500:13 | [SimpleParameter] s | semmle.label | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:500:13:500:13 | [SimpleParameter] s | semmle.order | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:506:15:506:17 | [SimpleParameter] obj | semmle.label | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:506:15:506:17 | [SimpleParameter] obj | semmle.order | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:506:45:506:47 | [SimpleParameter] key | semmle.label | 1 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:506:45:506:47 | [SimpleParameter] key | semmle.order | 1 |
 | file://:0:0:0:0 | (Parameters) | type_alias.ts:14:10:14:17 | [SimpleParameter] property | semmle.label | 0 |
 | file://:0:0:0:0 | (Parameters) | type_alias.ts:14:10:14:17 | [SimpleParameter] property | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | type_alias.ts:21:19:21:21 | [SimpleParameter] key | semmle.label | 0 |
@@ -5358,6 +5426,114 @@ edges
 | tst.ts:494:12:494:40 | [ConditionalExpr] num % 2 ... : "odd" | tst.ts:494:28:494:33 | [Literal] "even" | semmle.order | 2 |
 | tst.ts:494:12:494:40 | [ConditionalExpr] num % 2 ... : "odd" | tst.ts:494:36:494:40 | [Literal] "odd" | semmle.label | 3 |
 | tst.ts:494:12:494:40 | [ConditionalExpr] num % 2 ... : "odd" | tst.ts:494:36:494:40 | [Literal] "odd" | semmle.order | 3 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:498:8:498:11 | [VarDecl] TS55 | semmle.label | 1 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:498:8:498:11 | [VarDecl] TS55 | semmle.order | 1 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:499:3:500:40 | [DeclStmt] const strings = ... | semmle.label | 2 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:499:3:500:40 | [DeclStmt] const strings = ... | semmle.order | 2 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | semmle.label | 3 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | semmle.order | 3 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | semmle.label | 4 |
+| tst.ts:498:1:511:1 | [NamespaceDeclaration] module ... } } } | tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | semmle.order | 4 |
+| tst.ts:499:3:500:40 | [DeclStmt] const strings = ... | tst.ts:499:9:500:39 | [VariableDeclarator] strings ... tring") | semmle.label | 1 |
+| tst.ts:499:3:500:40 | [DeclStmt] const strings = ... | tst.ts:499:9:500:39 | [VariableDeclarator] strings ... tring") | semmle.order | 1 |
+| tst.ts:499:9:500:39 | [VariableDeclarator] strings ... tring") | tst.ts:499:9:499:15 | [VarDecl] strings | semmle.label | 1 |
+| tst.ts:499:9:500:39 | [VariableDeclarator] strings ... tring") | tst.ts:499:9:499:15 | [VarDecl] strings | semmle.order | 1 |
+| tst.ts:499:9:500:39 | [VariableDeclarator] strings ... tring") | tst.ts:499:19:500:39 | [MethodCallExpr] (["foo" ... tring") | semmle.label | 2 |
+| tst.ts:499:9:500:39 | [VariableDeclarator] strings ... tring") | tst.ts:499:19:500:39 | [MethodCallExpr] (["foo" ... tring") | semmle.order | 2 |
+| tst.ts:499:19:499:32 | [ParExpr] (["foo", 123]) | tst.ts:499:20:499:31 | [ArrayExpr] ["foo", 123] | semmle.label | 1 |
+| tst.ts:499:19:499:32 | [ParExpr] (["foo", 123]) | tst.ts:499:20:499:31 | [ArrayExpr] ["foo", 123] | semmle.order | 1 |
+| tst.ts:499:19:500:11 | [DotExpr] (["foo" ... .filter | tst.ts:499:19:499:32 | [ParExpr] (["foo", 123]) | semmle.label | 1 |
+| tst.ts:499:19:500:11 | [DotExpr] (["foo" ... .filter | tst.ts:499:19:499:32 | [ParExpr] (["foo", 123]) | semmle.order | 1 |
+| tst.ts:499:19:500:11 | [DotExpr] (["foo" ... .filter | tst.ts:500:6:500:11 | [Label] filter | semmle.label | 2 |
+| tst.ts:499:19:500:11 | [DotExpr] (["foo" ... .filter | tst.ts:500:6:500:11 | [Label] filter | semmle.order | 2 |
+| tst.ts:499:19:500:39 | [MethodCallExpr] (["foo" ... tring") | file://:0:0:0:0 | (Arguments) | semmle.label | 1 |
+| tst.ts:499:19:500:39 | [MethodCallExpr] (["foo" ... tring") | file://:0:0:0:0 | (Arguments) | semmle.order | 1 |
+| tst.ts:499:19:500:39 | [MethodCallExpr] (["foo" ... tring") | tst.ts:499:19:500:11 | [DotExpr] (["foo" ... .filter | semmle.label | 0 |
+| tst.ts:499:19:500:39 | [MethodCallExpr] (["foo" ... tring") | tst.ts:499:19:500:11 | [DotExpr] (["foo" ... .filter | semmle.order | 0 |
+| tst.ts:499:20:499:31 | [ArrayExpr] ["foo", 123] | tst.ts:499:21:499:25 | [Literal] "foo" | semmle.label | 1 |
+| tst.ts:499:20:499:31 | [ArrayExpr] ["foo", 123] | tst.ts:499:21:499:25 | [Literal] "foo" | semmle.order | 1 |
+| tst.ts:499:20:499:31 | [ArrayExpr] ["foo", 123] | tst.ts:499:28:499:30 | [Literal] 123 | semmle.label | 2 |
+| tst.ts:499:20:499:31 | [ArrayExpr] ["foo", 123] | tst.ts:499:28:499:30 | [Literal] 123 | semmle.order | 2 |
+| tst.ts:500:13:500:38 | [ArrowFunctionExpr] s => ty ... string" | file://:0:0:0:0 | (Parameters) | semmle.label | 1 |
+| tst.ts:500:13:500:38 | [ArrowFunctionExpr] s => ty ... string" | file://:0:0:0:0 | (Parameters) | semmle.order | 1 |
+| tst.ts:500:13:500:38 | [ArrowFunctionExpr] s => ty ... string" | tst.ts:500:18:500:38 | [BinaryExpr] typeof ... string" | semmle.label | 5 |
+| tst.ts:500:13:500:38 | [ArrowFunctionExpr] s => ty ... string" | tst.ts:500:18:500:38 | [BinaryExpr] typeof ... string" | semmle.order | 5 |
+| tst.ts:500:18:500:25 | [UnaryExpr] typeof s | tst.ts:500:25:500:25 | [VarRef] s | semmle.label | 1 |
+| tst.ts:500:18:500:25 | [UnaryExpr] typeof s | tst.ts:500:25:500:25 | [VarRef] s | semmle.order | 1 |
+| tst.ts:500:18:500:38 | [BinaryExpr] typeof ... string" | tst.ts:500:18:500:25 | [UnaryExpr] typeof s | semmle.label | 1 |
+| tst.ts:500:18:500:38 | [BinaryExpr] typeof ... string" | tst.ts:500:18:500:25 | [UnaryExpr] typeof s | semmle.order | 1 |
+| tst.ts:500:18:500:38 | [BinaryExpr] typeof ... string" | tst.ts:500:31:500:38 | [Literal] "string" | semmle.label | 2 |
+| tst.ts:500:18:500:38 | [BinaryExpr] typeof ... string" | tst.ts:500:31:500:38 | [Literal] "string" | semmle.order | 2 |
+| tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | tst.ts:502:8:502:16 | [DeclStmt] const str = ... | semmle.label | 1 |
+| tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | tst.ts:502:8:502:16 | [DeclStmt] const str = ... | semmle.order | 1 |
+| tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | tst.ts:502:21:502:27 | [VarRef] strings | semmle.label | 2 |
+| tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | tst.ts:502:21:502:27 | [VarRef] strings | semmle.order | 2 |
+| tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | tst.ts:502:30:504:3 | [BlockStmt] { s ... 5.4 } | semmle.label | 3 |
+| tst.ts:502:3:504:3 | [ForOfStmt] for (co ... 5.4 } | tst.ts:502:30:504:3 | [BlockStmt] { s ... 5.4 } | semmle.order | 3 |
+| tst.ts:502:8:502:16 | [DeclStmt] const str = ... | tst.ts:502:14:502:16 | [VariableDeclarator] str | semmle.label | 1 |
+| tst.ts:502:8:502:16 | [DeclStmt] const str = ... | tst.ts:502:14:502:16 | [VariableDeclarator] str | semmle.order | 1 |
+| tst.ts:502:14:502:16 | [VariableDeclarator] str | tst.ts:502:14:502:16 | [VarDecl] str | semmle.label | 1 |
+| tst.ts:502:14:502:16 | [VariableDeclarator] str | tst.ts:502:14:502:16 | [VarDecl] str | semmle.order | 1 |
+| tst.ts:502:30:504:3 | [BlockStmt] { s ... 5.4 } | tst.ts:503:5:503:22 | [ExprStmt] str.toLowerCase(); | semmle.label | 1 |
+| tst.ts:502:30:504:3 | [BlockStmt] { s ... 5.4 } | tst.ts:503:5:503:22 | [ExprStmt] str.toLowerCase(); | semmle.order | 1 |
+| tst.ts:503:5:503:19 | [DotExpr] str.toLowerCase | tst.ts:503:5:503:7 | [VarRef] str | semmle.label | 1 |
+| tst.ts:503:5:503:19 | [DotExpr] str.toLowerCase | tst.ts:503:5:503:7 | [VarRef] str | semmle.order | 1 |
+| tst.ts:503:5:503:19 | [DotExpr] str.toLowerCase | tst.ts:503:9:503:19 | [Label] toLowerCase | semmle.label | 2 |
+| tst.ts:503:5:503:19 | [DotExpr] str.toLowerCase | tst.ts:503:9:503:19 | [Label] toLowerCase | semmle.order | 2 |
+| tst.ts:503:5:503:21 | [MethodCallExpr] str.toLowerCase() | tst.ts:503:5:503:19 | [DotExpr] str.toLowerCase | semmle.label | 0 |
+| tst.ts:503:5:503:21 | [MethodCallExpr] str.toLowerCase() | tst.ts:503:5:503:19 | [DotExpr] str.toLowerCase | semmle.order | 0 |
+| tst.ts:503:5:503:22 | [ExprStmt] str.toLowerCase(); | tst.ts:503:5:503:21 | [MethodCallExpr] str.toLowerCase() | semmle.label | 1 |
+| tst.ts:503:5:503:22 | [ExprStmt] str.toLowerCase(); | tst.ts:503:5:503:21 | [MethodCallExpr] str.toLowerCase() | semmle.order | 1 |
+| tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | file://:0:0:0:0 | (Parameters) | semmle.label | 1 |
+| tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | file://:0:0:0:0 | (Parameters) | semmle.order | 1 |
+| tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | tst.ts:506:12:506:13 | [VarDecl] f1 | semmle.label | 0 |
+| tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | tst.ts:506:12:506:13 | [VarDecl] f1 | semmle.order | 0 |
+| tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | tst.ts:506:58:510:3 | [BlockStmt] { i ... } } | semmle.label | 5 |
+| tst.ts:506:3:510:3 | [FunctionDeclStmt] functio ... } } | tst.ts:506:58:510:3 | [BlockStmt] { i ... } } | semmle.order | 5 |
+| tst.ts:506:15:506:17 | [SimpleParameter] obj | tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | semmle.label | -2 |
+| tst.ts:506:15:506:17 | [SimpleParameter] obj | tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | semmle.order | -2 |
+| tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | tst.ts:506:20:506:25 | [LocalTypeAccess] Record | semmle.label | 1 |
+| tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | tst.ts:506:20:506:25 | [LocalTypeAccess] Record | semmle.order | 1 |
+| tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | tst.ts:506:27:506:32 | [KeywordTypeExpr] string | semmle.label | 2 |
+| tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | tst.ts:506:27:506:32 | [KeywordTypeExpr] string | semmle.order | 2 |
+| tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | tst.ts:506:35:506:41 | [KeywordTypeExpr] unknown | semmle.label | 3 |
+| tst.ts:506:20:506:42 | [GenericTypeExpr] Record< ... nknown> | tst.ts:506:35:506:41 | [KeywordTypeExpr] unknown | semmle.order | 3 |
+| tst.ts:506:45:506:47 | [SimpleParameter] key | tst.ts:506:50:506:55 | [KeywordTypeExpr] string | semmle.label | -2 |
+| tst.ts:506:45:506:47 | [SimpleParameter] key | tst.ts:506:50:506:55 | [KeywordTypeExpr] string | semmle.order | -2 |
+| tst.ts:506:58:510:3 | [BlockStmt] { i ... } } | tst.ts:507:5:509:5 | [IfStmt] if (typ ... r } | semmle.label | 1 |
+| tst.ts:506:58:510:3 | [BlockStmt] { i ... } } | tst.ts:507:5:509:5 | [IfStmt] if (typ ... r } | semmle.order | 1 |
+| tst.ts:507:5:509:5 | [IfStmt] if (typ ... r } | tst.ts:507:9:507:36 | [BinaryExpr] typeof ... string" | semmle.label | 1 |
+| tst.ts:507:5:509:5 | [IfStmt] if (typ ... r } | tst.ts:507:9:507:36 | [BinaryExpr] typeof ... string" | semmle.order | 1 |
+| tst.ts:507:5:509:5 | [IfStmt] if (typ ... r } | tst.ts:507:39:509:5 | [BlockStmt] { ... r } | semmle.label | 2 |
+| tst.ts:507:5:509:5 | [IfStmt] if (typ ... r } | tst.ts:507:39:509:5 | [BlockStmt] { ... r } | semmle.order | 2 |
+| tst.ts:507:9:507:23 | [UnaryExpr] typeof obj[key] | tst.ts:507:16:507:23 | [IndexExpr] obj[key] | semmle.label | 1 |
+| tst.ts:507:9:507:23 | [UnaryExpr] typeof obj[key] | tst.ts:507:16:507:23 | [IndexExpr] obj[key] | semmle.order | 1 |
+| tst.ts:507:9:507:36 | [BinaryExpr] typeof ... string" | tst.ts:507:9:507:23 | [UnaryExpr] typeof obj[key] | semmle.label | 1 |
+| tst.ts:507:9:507:36 | [BinaryExpr] typeof ... string" | tst.ts:507:9:507:23 | [UnaryExpr] typeof obj[key] | semmle.order | 1 |
+| tst.ts:507:9:507:36 | [BinaryExpr] typeof ... string" | tst.ts:507:29:507:36 | [Literal] "string" | semmle.label | 2 |
+| tst.ts:507:9:507:36 | [BinaryExpr] typeof ... string" | tst.ts:507:29:507:36 | [Literal] "string" | semmle.order | 2 |
+| tst.ts:507:16:507:23 | [IndexExpr] obj[key] | tst.ts:507:16:507:18 | [VarRef] obj | semmle.label | 1 |
+| tst.ts:507:16:507:23 | [IndexExpr] obj[key] | tst.ts:507:16:507:18 | [VarRef] obj | semmle.order | 1 |
+| tst.ts:507:16:507:23 | [IndexExpr] obj[key] | tst.ts:507:20:507:22 | [VarRef] key | semmle.label | 2 |
+| tst.ts:507:16:507:23 | [IndexExpr] obj[key] | tst.ts:507:20:507:22 | [VarRef] key | semmle.order | 2 |
+| tst.ts:507:39:509:5 | [BlockStmt] { ... r } | tst.ts:508:7:508:39 | [DeclStmt] var str = ... | semmle.label | 1 |
+| tst.ts:507:39:509:5 | [BlockStmt] { ... r } | tst.ts:508:7:508:39 | [DeclStmt] var str = ... | semmle.order | 1 |
+| tst.ts:508:7:508:39 | [DeclStmt] var str = ... | tst.ts:508:11:508:38 | [VariableDeclarator] str = o ... rCase() | semmle.label | 1 |
+| tst.ts:508:7:508:39 | [DeclStmt] var str = ... | tst.ts:508:11:508:38 | [VariableDeclarator] str = o ... rCase() | semmle.order | 1 |
+| tst.ts:508:11:508:38 | [VariableDeclarator] str = o ... rCase() | tst.ts:508:11:508:13 | [VarDecl] str | semmle.label | 1 |
+| tst.ts:508:11:508:38 | [VariableDeclarator] str = o ... rCase() | tst.ts:508:11:508:13 | [VarDecl] str | semmle.order | 1 |
+| tst.ts:508:11:508:38 | [VariableDeclarator] str = o ... rCase() | tst.ts:508:17:508:38 | [MethodCallExpr] obj[key ... rCase() | semmle.label | 2 |
+| tst.ts:508:11:508:38 | [VariableDeclarator] str = o ... rCase() | tst.ts:508:17:508:38 | [MethodCallExpr] obj[key ... rCase() | semmle.order | 2 |
+| tst.ts:508:17:508:24 | [IndexExpr] obj[key] | tst.ts:508:17:508:19 | [VarRef] obj | semmle.label | 1 |
+| tst.ts:508:17:508:24 | [IndexExpr] obj[key] | tst.ts:508:17:508:19 | [VarRef] obj | semmle.order | 1 |
+| tst.ts:508:17:508:24 | [IndexExpr] obj[key] | tst.ts:508:21:508:23 | [VarRef] key | semmle.label | 2 |
+| tst.ts:508:17:508:24 | [IndexExpr] obj[key] | tst.ts:508:21:508:23 | [VarRef] key | semmle.order | 2 |
+| tst.ts:508:17:508:36 | [DotExpr] obj[key].toUpperCase | tst.ts:508:17:508:24 | [IndexExpr] obj[key] | semmle.label | 1 |
+| tst.ts:508:17:508:36 | [DotExpr] obj[key].toUpperCase | tst.ts:508:17:508:24 | [IndexExpr] obj[key] | semmle.order | 1 |
+| tst.ts:508:17:508:36 | [DotExpr] obj[key].toUpperCase | tst.ts:508:26:508:36 | [Label] toUpperCase | semmle.label | 2 |
+| tst.ts:508:17:508:36 | [DotExpr] obj[key].toUpperCase | tst.ts:508:26:508:36 | [Label] toUpperCase | semmle.order | 2 |
+| tst.ts:508:17:508:38 | [MethodCallExpr] obj[key ... rCase() | tst.ts:508:17:508:36 | [DotExpr] obj[key].toUpperCase | semmle.label | 0 |
+| tst.ts:508:17:508:38 | [MethodCallExpr] obj[key ... rCase() | tst.ts:508:17:508:36 | [DotExpr] obj[key].toUpperCase | semmle.order | 0 |
 | tstModuleCJS.cts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | tstModuleCJS.cts:1:8:3:1 | [FunctionDeclStmt] functio ... 'b'; } | semmle.label | 1 |
 | tstModuleCJS.cts:1:1:3:1 | [ExportDeclaration] export ... 'b'; } | tstModuleCJS.cts:1:8:3:1 | [FunctionDeclStmt] functio ... 'b'; } | semmle.order | 1 |
 | tstModuleCJS.cts:1:8:3:1 | [FunctionDeclStmt] functio ... 'b'; } | tstModuleCJS.cts:1:17:1:28 | [VarDecl] tstModuleCJS | semmle.label | 0 |
--- a/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
+++ b/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
@@ -692,6 +692,43 @@ getExprType
 | tst.ts:494:24:494:24 | 0 | 0 |
 | tst.ts:494:28:494:33 | "even" | "even" |
 | tst.ts:494:36:494:40 | "odd" | "odd" |
+| tst.ts:498:8:498:11 | TS55 | typeof TS55 in library-tests/TypeScript/Types/tst.ts |
+| tst.ts:499:9:499:15 | strings | string[] |
+| tst.ts:499:19:499:32 | (["foo", 123]) | (string \| number)[] |
+| tst.ts:499:19:500:11 | (["foo" ... .filter | { <S extends string \| number>(predicate: (value... |
+| tst.ts:499:19:500:39 | (["foo" ... tring") | string[] |
+| tst.ts:499:20:499:31 | ["foo", 123] | (string \| number)[] |
+| tst.ts:499:21:499:25 | "foo" | "foo" |
+| tst.ts:499:28:499:30 | 123 | 123 |
+| tst.ts:500:6:500:11 | filter | { <S extends string \| number>(predicate: (value... |
+| tst.ts:500:13:500:13 | s | string \| number |
+| tst.ts:500:13:500:38 | s => ty ... string" | (s: string \| number) => s is string |
+| tst.ts:500:18:500:25 | typeof s | "string" \| "number" \| "bigint" \| "boolean" \| "s... |
+| tst.ts:500:18:500:38 | typeof  ... string" | boolean |
+| tst.ts:500:25:500:25 | s | string \| number |
+| tst.ts:500:31:500:38 | "string" | "string" |
+| tst.ts:502:14:502:16 | str | string |
+| tst.ts:502:21:502:27 | strings | string[] |
+| tst.ts:503:5:503:7 | str | string |
+| tst.ts:503:5:503:19 | str.toLowerCase | () => string |
+| tst.ts:503:5:503:21 | str.toLowerCase() | string |
+| tst.ts:503:9:503:19 | toLowerCase | () => string |
+| tst.ts:506:12:506:13 | f1 | (obj: Record<string, unknown>, key: string) => ... |
+| tst.ts:506:15:506:17 | obj | Record<string, unknown> |
+| tst.ts:506:45:506:47 | key | string |
+| tst.ts:507:9:507:23 | typeof obj[key] | "string" \| "number" \| "bigint" \| "boolean" \| "s... |
+| tst.ts:507:9:507:36 | typeof  ... string" | boolean |
+| tst.ts:507:16:507:18 | obj | Record<string, unknown> |
+| tst.ts:507:16:507:23 | obj[key] | unknown |
+| tst.ts:507:20:507:22 | key | string |
+| tst.ts:507:29:507:36 | "string" | "string" |
+| tst.ts:508:11:508:13 | str | string |
+| tst.ts:508:17:508:19 | obj | Record<string, unknown> |
+| tst.ts:508:17:508:24 | obj[key] | string |
+| tst.ts:508:17:508:36 | obj[key].toUpperCase | () => string |
+| tst.ts:508:17:508:38 | obj[key ... rCase() | string |
+| tst.ts:508:21:508:23 | key | string |
+| tst.ts:508:26:508:36 | toUpperCase | () => string |
 | tstModuleCJS.cts:1:17:1:28 | tstModuleCJS | () => "a" \| "b" |
 | tstModuleCJS.cts:2:12:2:15 | Math | Math |
 | tstModuleCJS.cts:2:12:2:22 | Math.random | () => number |
@@ -1178,6 +1215,11 @@ getTypeExprType
 | tst.ts:487:56:487:58 | C[] | C[] |
 | tst.ts:487:76:487:82 | NoInfer | any |
 | tst.ts:487:84:487:84 | C | C |
+| tst.ts:506:20:506:25 | Record | Record<K, T> |
+| tst.ts:506:20:506:42 | Record< ... nknown> | Record<string, unknown> |
+| tst.ts:506:27:506:32 | string | string |
+| tst.ts:506:35:506:41 | unknown | unknown |
+| tst.ts:506:50:506:55 | string | string |
 | tstModuleCJS.cts:1:33:1:35 | 'a' | "a" |
 | tstModuleCJS.cts:1:33:1:41 | 'a' \| 'b' | "a" \| "b" |
 | tstModuleCJS.cts:1:39:1:41 | 'b' | "b" |
@@ -1375,6 +1417,7 @@ unknownType
 | tst.ts:228:12:228:16 | other | unknown |
 | tst.ts:229:16:229:20 | other | unknown |
 | tst.ts:230:20:230:24 | other | unknown |
+| tst.ts:507:16:507:23 | obj[key] | unknown |
 abstractSignature
 | (): HasArea |
 | new (): HasArea |
--- a/javascript/ql/test/library-tests/TypeScript/Types/tst.ts
+++ b/javascript/ql/test/library-tests/TypeScript/Types/tst.ts
@@ -493,4 +493,19 @@ module TS54 {
  const myObj = Object.groupBy([0, 1, 2, 3, 4, 5], (num, index) => {
    return num % 2 === 0 ? "even": "odd";
  });
+}
+
+module TS55 {
+  const strings = (["foo", 123])
+    .filter(s => typeof s === "string");
+
+  for (const str of strings) {
+    str.toLowerCase(); // <- string in 5.5, string | number in 5.4
+  }
+
+  function f1(obj: Record<string, unknown>, key: string) {
+    if (typeof obj[key] === "string") {
+      var str = obj[key].toUpperCase(); // Now okay, previously was error
+    }
+  }
 }
--- a/javascript/ql/test/library-tests/frameworks/Collections/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Collections/test.expected
@@ -26,6 +26,7 @@ typeTracking
 | tst.js:2:16:2:23 | source() | tst.js:37:14:37:14 | e |
 | tst.js:2:16:2:23 | source() | tst.js:41:14:41:14 | e |
 | tst.js:2:16:2:23 | source() | tst.js:45:14:45:14 | e |
+| tst.js:2:16:2:23 | source() | tst.js:49:14:49:14 | e |
 | tst.js:2:16:2:23 | source() | tst.js:53:8:53:21 | map.get("key") |
 | tst.js:2:16:2:23 | source() | tst.js:59:8:59:22 | map2.get("foo") |
 | tst.js:2:16:2:23 | source() | tst.js:64:8:64:26 | map3.get(unknown()) |
--- a/javascript/ql/test/library-tests/frameworks/Collections/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/Collections/tst.js
@@ -47,7 +47,7 @@
  }

  for (const e of Array.from(set)) {
-    sink(e); // NOT OK  (not caught by type-tracking, as it doesn't include array steps). 
+    sink(e); // NOT OK
  }

  sink(map.get("key")); // NOT OK.
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-094-dataURL/CodeInjection.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-099/EnvValueAndKeyInjection.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-099/EnvValueInjection.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql`
				`@@ -0,0 +1 @@`
				`./experimental/Security/CWE-942/CorsPermissiveConfiguration.ql`