use dominating write check in js/path-injection

2026-05-01 19:55:15 +02:00 · 2020-06-02 14:54:41 +02:00
parent 6bc821b1ab
commit e467d3ccbf
3 changed files with 490 additions and 1 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2168,6 +2168,206 @@ nodes
 | other-fs-libraries.js:40:35:40:38 | path |
 | other-fs-libraries.js:40:35:40:38 | path |
 | other-fs-libraries.js:40:35:40:38 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:24:6:30 | req.url |
+| tainted-access-paths.js:6:24:6:30 | req.url |
+| tainted-access-paths.js:6:24:6:30 | req.url |
+| tainted-access-paths.js:6:24:6:30 | req.url |
+| tainted-access-paths.js:6:24:6:30 | req.url |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
@@ -5871,6 +6071,262 @@ edges
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:10:33:10:36 | path |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | tainted-access-paths.js:6:14:6:43 | url.par ... ).query |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | tainted-access-paths.js:6:14:6:48 | url.par ... ry.path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | tainted-access-paths.js:6:7:6:48 | path |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:6:14:6:37 | url.par ... , true) |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:12:19:12:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:7:10:36 | obj | tainted-access-paths.js:26:19:26:21 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path | tainted-access-paths.js:10:7:10:36 | obj |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:10:33:10:36 | path | tainted-access-paths.js:10:13:10:36 | bla ? s ...  : path |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:12:19:12:21 | obj | tainted-access-paths.js:12:19:12:25 | obj.sub |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
+| tainted-access-paths.js:26:19:26:21 | obj | tainted-access-paths.js:26:19:26:26 | obj.sub3 |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
@@ -6771,6 +7227,9 @@ edges
 | other-fs-libraries.js:19:56:19:59 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:19:56:19:59 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:24:35:24:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:24:35:24:38 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
+| tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
+| tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
+| tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
@@ -0,0 +1,29 @@
+var fs = require('fs'),
+    http = require('http'),
+    url = require('url');
+
+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+  
+  fs.readFileSync(path); // NOT OK
+
+  var obj = bla ? something() : path;
+
+  fs.readFileSync(obj.sub); // NOT OK
+
+  obj.sub = "safe";
+
+  fs.readFileSync(obj.sub); // OK
+
+  obj.sub2 = "safe";
+  if (random()) {
+    fs.readFileSync(obj.sub2); // OK
+  }
+
+  if (random()) {
+    obj.sub3 = "safe"
+  }
+  fs.readFileSync(obj.sub3); // NOT OK
+});
+
+server.listen();