Merge master into next.

javascript/ql/test/library-tests/Security/CWE-338/InsecureRandomnessSource.expected

@@ -6,3 +6,5 @@
 | tst.js:15:1:15:12 | randomSeed() |
 | tst.js:18:1:18:14 | uniqueRandom() |
 | tst.js:22:1:22:12 | chance.XYZ() |
+| tst.js:25:1:25:29 | crypto. ... es(100) |
+| tst.js:26:1:26:33 | new cry ... es(100) |

javascript/ql/test/library-tests/Security/CWE-338/tst.js

@@ -20,3 +20,7 @@ uniqueRandom();
 var Chance = require('chance'),
     chance = new Chance();
 chance.XYZ();
+
+let crypto = require('crypto');
+crypto.pseudoRandomBytes(100);
+new crypto.pseudoRandomBytes(100);

javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess.expected

@@ -0,0 +1,4 @@
+| persistence.js:3:5:3:33 | localSt ... prop1') |
+| persistence.js:6:5:6:35 | session ... prop2') |
+| persistence.js:10:5:10:33 | localSt ... prop4') |
+| persistence.js:13:5:13:35 | session ... prop5') |

javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentReadAccess read
+select read

javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess_getAWrite.expected

@@ -0,0 +1,2 @@
+| persistence.js:3:5:3:33 | localSt ... prop1') | persistence.js:2:5:2:37 | localSt ... 1', v1) |
+| persistence.js:6:5:6:35 | session ... prop2') | persistence.js:5:5:5:39 | session ... 2', v2) |

javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess_getAWrite.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentReadAccess read
+select read, read.getAWrite()

javascript/ql/test/library-tests/frameworks/Concepts/PersistentWriteAccess.expected

@@ -0,0 +1,4 @@
+| persistence.js:2:5:2:37 | localSt ... 1', v1) | persistence.js:2:35:2:36 | v1 |
+| persistence.js:5:5:5:39 | session ... 2', v2) | persistence.js:5:37:5:38 | v2 |
+| persistence.js:8:5:8:37 | localSt ... 3', v3) | persistence.js:8:35:8:36 | v3 |
+| persistence.js:12:5:12:37 | localSt ... 5', v5) | persistence.js:12:35:12:36 | v5 |

javascript/ql/test/library-tests/frameworks/Concepts/PersistentWriteAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentWriteAccess write
+select write, write.getValue()

javascript/ql/test/library-tests/frameworks/Concepts/persistence.js

@@ -0,0 +1,14 @@
+(function(){
+    localStorage.setItem('prop1', v1);
+    localStorage.getItem('prop1');
+
+    sessionStorage.setItem('prop2', v2);
+    sessionStorage.getItem('prop2');
+
+    localStorage.setItem('prop3', v3);
+
+    localStorage.getItem('prop4');
+
+    localStorage.setItem('prop5', v5);
+    sessionStorage.getItem('prop5');
+});

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess.expected

@@ -0,0 +1,3 @@
+| tst.js:7:2:7:21 | js_cookie.get('key') |
+| tst.js:12:2:12:27 | browser ... ('key') |
+| tst.js:18:2:18:22 | cookie. ... ['key'] |

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentReadAccess read
+select read

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess_getAWrite.expected

@@ -0,0 +1,3 @@
+| tst.js:7:2:7:21 | js_cookie.get('key') | tst.js:6:2:6:30 | js_cook ... value') |
+| tst.js:12:2:12:27 | browser ... ('key') | tst.js:11:2:11:36 | browser ... value') |
+| tst.js:18:2:18:22 | cookie. ... ['key'] | tst.js:17:2:17:33 | cookie. ... value') |

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess_getAWrite.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentReadAccess read
+select read, read.getAWrite()

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieWriteAccess.expected

@@ -0,0 +1,3 @@
+| tst.js:6:2:6:30 | js_cook ... value') | tst.js:6:23:6:29 | 'value' |
+| tst.js:11:2:11:36 | browser ... value') | tst.js:11:29:11:35 | 'value' |
+| tst.js:17:2:17:33 | cookie. ... value') | tst.js:17:26:17:32 | 'value' |

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieWriteAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentWriteAccess write
+select write, write.getValue()

javascript/ql/test/library-tests/frameworks/CookieLibraries/tst.js

@@ -0,0 +1,19 @@
+const js_cookie = require('js-cookie'),
+      browser_cookies = require('browser-cookies'),
+      cookie = require('cookie');
+
+(function() {
+	js_cookie.set('key', 'value');
+	js_cookie.get('key');
+});
+
+(function() {
+	browser_cookies.set('key', 'value');
+	browser_cookies.get('key');
+});
+
+
+(function() {
+	cookie.serialize('key', 'value');
+	cookie.parse()['key'];
+});

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -29,10 +29,15 @@ nodes
 | child_process-test.js:44:30:44:33 | args |
 | child_process-test.js:46:9:46:12 | "sh" |
 | child_process-test.js:46:15:46:18 | args |
-| child_process-test.js:49:14:49:16 | cmd |
-| child_process-test.js:49:19:49:22 | args |
-| child_process-test.js:50:12:50:14 | cmd |
-| child_process-test.js:50:17:50:20 | args |
+| child_process-test.js:48:9:48:17 | args |
+| child_process-test.js:48:16:48:17 | [] |
+| child_process-test.js:50:15:50:17 | cmd |
+| child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
+| child_process-test.js:51:35:51:38 | args |
+| child_process-test.js:55:14:55:16 | cmd |
+| child_process-test.js:55:19:55:22 | args |
+| child_process-test.js:56:12:56:14 | cmd |
+| child_process-test.js:56:17:56:20 | args |
 edges
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd |
@@ -44,6 +49,7 @@ edges
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:25:21:25:23 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:39:26:39:28 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:43:15:43:17 | cmd |
+| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:50:15:50:17 | cmd |
 | child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:44 | url.par ... ).query |
 | child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
 | child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd |
@@ -58,10 +64,12 @@ edges
 | child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
 | child_process-test.js:41:9:41:17 | args | child_process-test.js:46:15:46:18 | args |
 | child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args |
-| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:49:14:49:16 | cmd |
-| child_process-test.js:46:15:46:18 | args | child_process-test.js:49:19:49:22 | args |
-| child_process-test.js:49:14:49:16 | cmd | child_process-test.js:50:12:50:14 | cmd |
-| child_process-test.js:49:19:49:22 | args | child_process-test.js:50:17:50:20 | args |
+| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd |
+| child_process-test.js:46:15:46:18 | args | child_process-test.js:55:19:55:22 | args |
+| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args |
+| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args |
+| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
+| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
 #select
 | child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
@@ -73,4 +81,5 @@ edges
 | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:39:5:39:31 | cp.spaw ...  cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:26:39:28 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
-| child_process-test.js:50:3:50:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:51:5:51:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:56:3:56:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-078/child_process-test.js

@@ -44,6 +44,12 @@ var server = http.createServer(function(req, res) {
     cp.execFile("/bin/bash", args); // NOT OK
 
     run("sh", args);
+
+    let args = [];
+    args[0] = `-` + "c";
+    args[1] = cmd;
+    cp.execFile(`/bin` + "/bash", args); // NOT OK
+
 });
 
 function run(cmd, args) {

javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected

@@ -54,6 +54,12 @@ nodes
 | react-native.js:7:17:7:33 | req.param("code") |
 | react-native.js:8:18:8:24 | tainted |
 | react-native.js:9:27:9:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location |
+| stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:3:35:3:51 | document.location |
+| stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:8:20:8:48 | localSt ... local') |
 | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:4:16:4:32 | document.location |
 | string-manipulations.js:4:16:4:37 | documen ... on.href |
@@ -205,6 +211,9 @@ nodes
 | tst.js:244:39:244:55 | props.propTainted |
 | tst.js:248:60:248:82 | this.st ... Tainted |
 | tst.js:252:23:252:29 | tainted |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:257:7:257:10 | name |
+| tst.js:261:11:261:21 | window.name |
 | winjs.js:2:7:2:53 | tainted |
 | winjs.js:2:17:2:33 | document.location |
 | winjs.js:2:17:2:40 | documen ... .search |
@@ -268,6 +277,10 @@ edges
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
 | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
 | string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href |
 | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -17,6 +17,12 @@ nodes
 | react-native.js:7:17:7:33 | req.param("code") |
 | react-native.js:8:18:8:24 | tainted |
 | react-native.js:9:27:9:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location |
+| stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:3:35:3:51 | document.location |
+| stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:8:20:8:48 | localSt ... local') |
 | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:4:16:4:32 | document.location |
 | string-manipulations.js:4:16:4:37 | documen ... on.href |
@@ -162,6 +168,9 @@ nodes
 | tst.js:244:39:244:55 | props.propTainted |
 | tst.js:248:60:248:82 | this.st ... Tainted |
 | tst.js:252:23:252:29 | tainted |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:257:7:257:10 | name |
+| tst.js:261:11:261:21 | window.name |
 | winjs.js:2:7:2:53 | tainted |
 | winjs.js:2:17:2:33 | document.location |
 | winjs.js:2:17:2:40 | documen ... .search |
@@ -183,6 +192,10 @@ edges
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
 | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
 | string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href |
 | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
@@ -307,6 +320,8 @@ edges
 | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
 | react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
+| stored-xss.js:5:20:5:52 | session ... ssion') | stored-xss.js:2:39:2:55 | document.location | stored-xss.js:5:20:5:52 | session ... ssion') | Cross-site scripting vulnerability due to $@. | stored-xss.js:2:39:2:55 | document.location | user-provided value |
+| stored-xss.js:8:20:8:48 | localSt ... local') | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:8:20:8:48 | localSt ... local') | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:51 | document.location | user-provided value |
 | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | Cross-site scripting vulnerability due to $@. | string-manipulations.js:3:16:3:32 | document.location | user-provided value |
 | string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | Cross-site scripting vulnerability due to $@. | string-manipulations.js:4:16:4:32 | document.location | user-provided value |
 | string-manipulations.js:5:16:5:47 | documen ... lueOf() | string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:47 | documen ... lueOf() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:5:16:5:32 | document.location | user-provided value |
@@ -360,5 +375,8 @@ edges
 | tst.js:224:28:224:46 | this.props.tainted3 | tst.js:194:19:194:35 | document.location | tst.js:224:28:224:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
 | tst.js:228:32:228:49 | prevProps.tainted4 | tst.js:194:19:194:35 | document.location | tst.js:228:32:228:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
 | tst.js:248:60:248:82 | this.st ... Tainted | tst.js:194:19:194:35 | document.location | tst.js:248:60:248:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:256:7:256:17 | window.name | tst.js:256:7:256:17 | window.name | tst.js:256:7:256:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:256:7:256:17 | window.name | user-provided value |
+| tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:257:7:257:10 | name | user-provided value |
+| tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:261:11:261:21 | window.name | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
 | winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/stored-xss.js

@@ -0,0 +1,9 @@
+(function() {
+    sessionStorage.setItem('session', document.location.search);
+    localStorage.setItem('local', document.location.search);
+
+    $('myId').html(sessionStorage.getItem('session')); // NOT OK
+    $('myId').html(localStorage.getItem('session')); // OK
+    $('myId').html(sessionStorage.getItem('local')); // OK
+    $('myId').html(localStorage.getItem('local')); // NOT OK
+});

javascript/ql/test/query-tests/Security/CWE-079/tst.js

@@ -251,3 +251,14 @@ function react(){
 
     (<C3 propTainted={tainted}/>);
 }
+
+function windowName() {
+    $(window.name); // NOT OK
+    $(name); // NOT OK
+}
+function windowNameAssigned() {
+    for (name of ['a', 'b']) {
+        $(window.name); // NOT OK
+        $(name); // OK
+    }
+}

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected

@@ -9,3 +9,9 @@
 | tst.js:37:20:37:23 | /"/g | This does not backslash-escape the backslash character. |
 | tst.js:41:20:41:22 | "/" | This replaces only the first occurrence of "/". |
 | tst.js:45:20:45:24 | "%25" | This replaces only the first occurrence of "%25". |
+| tst.js:49:20:49:22 | `'` | This replaces only the first occurrence of `'`. |
+| tst.js:53:20:53:22 | "'" | This replaces only the first occurrence of "'". |
+| tst.js:57:20:57:22 | `'` | This replaces only the first occurrence of `'`. |
+| tst.js:61:20:61:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |
+| tst.js:65:20:65:22 | "'" | This replaces only the first occurrence of "'". |
+| tst.js:69:20:69:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js

@@ -45,6 +45,29 @@ function bad11(s) {
   return s.replace("%25", "%"); // NOT OK
 }
 
+function bad12(s) {
+  return s.replace(`'`, ""); // NOT OK
+}
+
+function bad13(s) {
+  return s.replace("'", ``); // NOT OK
+}
+
+function bad14(s) {
+  return s.replace(`'`, ``); // NOT OK
+}
+
+function bad15(s) {
+  return s.replace("'" + "", ""); // NOT OK
+}
+
+function bad16(s) {
+  return s.replace("'", "" + ""); // NOT OK
+}
+
+function bad17(s) {
+  return s.replace("'" + "", "" + ""); // NOT OK
+}
 
 function good1(s) {
   while (s.indexOf("'") > 0)
@@ -120,6 +143,12 @@ app.get('/some/path', function(req, res) {
   bad9(untrusted);
   bad10(untrusted);
   bad11(untrusted);
+  bad12(untrusted);
+  bad13(untrusted);
+  bad14(untrusted);
+  bad15(untrusted);
+  bad16(untrusted);
+  bad17(untrusted);
 
   good1(untrusted);
   good2(untrusted);

javascript/ql/test/query-tests/filters/ClassifyFiles/AutoRest.js

@@ -0,0 +1,5 @@
+/*
+ * Code generated by Microsoft (R) AutoRest Code Generator.
+ * Changes may cause incorrect behavior and will be lost if the code is
+ * regenerated.
+ */

javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.expected

@@ -1,7 +1,10 @@
+| AutoRest.js:0:0:0:0 | AutoRest.js | generated |
 | ai.1.2.3-build0123.js:0:0:0:0 | ai.1.2.3-build0123.js | library |
 | bundle-directive.js:0:0:0:0 | bundle-directive.js | generated |
 | data.js:0:0:0:0 | data.js | generated |
+| etherpad.html:0:0:0:0 | etherpad.html | generated |
 | exported-data.js:0:0:0:0 | exported-data.js | generated |
+| htmltidy.html:0:0:0:0 | htmltidy.html | generated |
 | jison-lex.js:0:0:0:0 | jison-lex.js | generated |
 | jison.js:0:0:0:0 | jison.js | generated |
 | jquery-datatables.js:0:0:0:0 | jquery-datatables.js | library |
@@ -12,12 +15,19 @@
 | multi-part-bundle.html:0:0:0:0 | multi-part-bundle.html | generated |
 | multi-part-bundle.js:0:0:0:0 | multi-part-bundle.js | generated |
 | multiple-licenses-2.js:0:0:0:0 | multiple-licenses-2.js | generated |
+| multiple-licenses-3.js:0:0:0:0 | multiple-licenses-3.js | generated |
+| multiple-licenses-4.js:0:0:0:0 | multiple-licenses-4.js | generated |
 | multiple-licenses.js:0:0:0:0 | multiple-licenses.js | generated |
 | opal-test.js:0:0:0:0 | opal-test.js | generated |
+| orgmode.html:0:0:0:0 | orgmode.html | generated |
+| pandoc.html:0:0:0:0 | pandoc.html | generated |
 | peg-js.js:0:0:0:0 | peg-js.js | generated |
 | polymer.html:0:0:0:0 | polymer.html | template |
+| purs-bundle.js:0:0:0:0 | purs-bundle.js | generated |
+| purs.js:0:0:0:0 | purs.js | generated |
 | some-template.html:0:0:0:0 | some-template.html | template |
 | templ.js:0:0:0:0 | templ.js | template |
+| textmate.html:0:0:0:0 | textmate.html | generated |
 | tmpl2.html:0:0:0:0 | tmpl2.html | template |
 | tmpl.html:0:0:0:0 | tmpl.html | template |
 | tst.browserify.js:0:0:0:0 | tst.browserify.js | generated |

javascript/ql/test/query-tests/filters/ClassifyFiles/CodeGenerator.expected

@@ -1,7 +1,10 @@
+| AutoRest.js:1:1:5:3 | /*\\n * C ... ed.\\n */ | Microsoft (R) AutoRest Code Generator |
 | jison-lex.js:1:1:1:34 | /* gene ... .2.1 */ | jison-lex |
 | jison.js:1:1:1:38 | /* pars ... 4.13 */ | jison |
 | jsx-old.js:1:1:1:106 | // gene ... 977102) | JSX |
 | jsx.js:1:1:1:105 | // gene ... 977102) | JSX |
 | opal-test.js:1:1:1:30 | /* Gene ... 10.3 */ | Opal |
 | peg-js.js:2:3:6:5 | /*\\n   * ... /\\n   */ | PEG.js |
+| purs-bundle.js:1:1:1:34 | // Gene ...  0.11.7 | purs |
+| purs.js:1:1:1:35 | // Gene ...  0.11.7 | purs |
 | tst.dart.js:1:1:1:57 | // Gene ... mpiler. | dart2js |

javascript/ql/test/query-tests/filters/ClassifyFiles/etherpad.html

@@ -0,0 +1,10 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <title><%- padId %></title>
+    <meta name="generator" content="Etherpad">
+    <script type="text/javascript">//</script>
+  </head>
+  <body>
+  </body>
+</html>

javascript/ql/test/query-tests/filters/ClassifyFiles/htmltidy.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<html>
+  <head>
+    <meta name="generator" content="HTML Tidy for Linux/x86 (vers 25 March 2009), see www.w3.org">
+    <script type="text/javascript">//</script>
+  </head>
+  <body>
+  </body>
+</html>

javascript/ql/test/query-tests/filters/ClassifyFiles/multiple-licenses-3.js

@@ -0,0 +1,6 @@
+/**
+ * @license
+ */
+/**
+ * @license
+ */

javascript/ql/test/query-tests/filters/ClassifyFiles/multiple-licenses-4.js

@@ -0,0 +1,6 @@
+/**
+ * The MIT License (MIT)
+ */
+/**
+ * The MIT License (MIT)
+ */

javascript/ql/test/query-tests/filters/ClassifyFiles/not-multiple-licenses.js

@@ -0,0 +1,9 @@
+/**
+ * The MIT License (MIT)
+ */
+/**
+ * The user needs to accept the licence.
+ */
+function hasAcceptedLicense(){
+    // ...
+}

javascript/ql/test/query-tests/filters/ClassifyFiles/orgmode.html

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+          "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+  <head>
+    <meta name="generator" content="Org-mode"/>
+    <script type="text/javascript">//</script>
+  </head>
+  <body>
+  </body>
+</html>

javascript/ql/test/query-tests/filters/ClassifyFiles/pandoc.html

@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta name="generator" content="pandoc" />
+    <script type="text/javascript">//</script>
+  </head>
+  <body>
+</html>

javascript/ql/test/query-tests/filters/ClassifyFiles/purs-bundle.js

@@ -0,0 +1 @@
+// Generated by purs bundle 0.11.7

javascript/ql/test/query-tests/filters/ClassifyFiles/purs.js

@@ -0,0 +1 @@
+// Generated by purs version 0.11.7

javascript/ql/test/query-tests/filters/ClassifyFiles/textmate.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
+          "http://www.w3.org/TR/html4/strict.dtd">
+<html lang="en">
+  <head>
+    <meta name="generator" content="TextMate http://macromates.com/">
+    <script type="text/javascript">//</script>
+  </head>
+  <body>
+</html>