JS: Update output from tests that changed on main

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -134,6 +134,22 @@ nodes
 | TaintedPath.js:196:31:196:34 | path | semmle.label | path |
 | TaintedPath.js:197:45:197:48 | path | semmle.label | path |
 | TaintedPath.js:198:35:198:38 | path | semmle.label | path |
+| TaintedPath.js:202:7:202:48 | path | semmle.label | path |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | semmle.label | url.par ... , true) |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | semmle.label | url.par ... ).query |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | semmle.label | url.par ... ry.path |
+| TaintedPath.js:202:24:202:30 | req.url | semmle.label | req.url |
+| TaintedPath.js:206:29:206:32 | path | semmle.label | path |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') | semmle.label | path.re ... '), '') |
+| TaintedPath.js:211:7:211:48 | path | semmle.label | path |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | semmle.label | url.par ... , true) |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | semmle.label | url.par ... ).query |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | semmle.label | url.par ... ry.path |
+| TaintedPath.js:211:24:211:30 | req.url | semmle.label | req.url |
+| TaintedPath.js:213:29:213:32 | path | semmle.label | path |
+| TaintedPath.js:213:29:213:68 | path.re ... '), '') | semmle.label | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | semmle.label | path |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') | semmle.label | path.re ... '), '') |
 | examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath |
 | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) |
 | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query |
@@ -614,6 +630,20 @@ edges
 | TaintedPath.js:195:14:195:43 | url.par ... ).query | TaintedPath.js:195:14:195:48 | url.par ... ry.path | provenance | Config |
 | TaintedPath.js:195:14:195:48 | url.par ... ry.path | TaintedPath.js:195:7:195:48 | path | provenance |  |
 | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) | provenance | Config |
+| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path | provenance |  |
+| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query | provenance | Config |
+| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path | provenance | Config |
+| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path | provenance |  |
+| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) | provenance | Config |
+| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') | provenance | Config |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path | provenance |  |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path | provenance |  |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query | provenance | Config |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path | provenance | Config |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path | provenance |  |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) | provenance | Config |
+| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') | provenance | Config |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') | provenance | Config |
 | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath | provenance |  |
 | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | provenance | Config |
 | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | provenance | Config |
@@ -965,6 +995,9 @@ subpaths
 | TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
 | TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
 | TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
+| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
+| TaintedPath.js:213:29:213:68 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:213:29:213:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value |
 | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value |
 | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value |
 | handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value |

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected

@@ -131,6 +131,11 @@ edges
 | lib/lib.js:608:42:608:45 | name | lib/lib.js:609:22:609:25 | name | provenance |  |
 | lib/lib.js:608:42:608:45 | name | lib/lib.js:626:29:626:32 | name | provenance |  |
 | lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name | provenance |  |
+| lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:27 | name | provenance |  |
+| lib/lib.js:633:6:633:68 | sanitized | lib/lib.js:634:22:634:30 | sanitized | provenance |  |
+| lib/lib.js:633:24:633:27 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | provenance |  |
+| lib/lib.js:633:24:633:27 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | provenance |  |
+| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | lib/lib.js:633:6:633:68 | sanitized | provenance |  |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | provenance |  |
 | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | provenance |  |
 | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | provenance |  |
@@ -322,6 +327,12 @@ nodes
 | lib/lib.js:609:22:609:25 | name | semmle.label | name |
 | lib/lib.js:626:29:626:32 | name | semmle.label | name |
 | lib/lib.js:629:25:629:28 | name | semmle.label | name |
+| lib/lib.js:632:38:632:41 | name | semmle.label | name |
+| lib/lib.js:633:6:633:68 | sanitized | semmle.label | sanitized |
+| lib/lib.js:633:24:633:27 | name | semmle.label | name |
+| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | semmle.label | name.re ... '\\\\''") |
+| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | semmle.label | name.re ... '\\\\''") |
+| lib/lib.js:634:22:634:30 | sanitized | semmle.label | sanitized |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | semmle.label | name |
 | lib/subLib2/compiled-file.ts:4:25:4:28 | name | semmle.label | name |
 | lib/subLib2/special-file.js:3:28:3:31 | name | semmle.label | name |
@@ -442,6 +453,8 @@ subpaths
 | lib/lib.js:609:10:609:25 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:609:22:609:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:609:2:609:26 | cp.exec ... + name) | shell command |
 | lib/lib.js:626:17:626:32 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:626:29:626:32 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:626:9:626:33 | cp.exec ... + name) | shell command |
 | lib/lib.js:629:13:629:28 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:629:5:629:29 | cp.exec ... + name) | shell command |
+| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" | lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command |
+| lib/lib.js:634:10:634:30 | "rm -rf ... nitized | lib/lib.js:632:38:632:41 | name | lib/lib.js:634:22:634:30 | sanitized | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command |
 | lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command |
 | lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -365,6 +365,7 @@ nodes
 | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | semmle.label | "<OPTIO ... PTION>" |
 | tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href |
 | tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) |
+| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) |
 | tst.js:12:5:12:42 | '<div s ...  'px">' | semmle.label | '<div s ...  'px">' |
 | tst.js:12:28:12:33 | target | semmle.label | target |
 | tst.js:17:7:17:56 | params | semmle.label | params |
@@ -390,19 +391,24 @@ nodes
 | tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) |
 | tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:42:15:42:15 | s | semmle.label | s |
+| tst.js:42:15:42:15 | s | semmle.label | s |
 | tst.js:43:10:43:31 | "<div>" ... </div>" | semmle.label | "<div>" ... </div>" |
 | tst.js:43:20:43:20 | s | semmle.label | s |
+| tst.js:43:20:43:20 | s | semmle.label | s |
 | tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) |
 | tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:48:15:48:15 | s | semmle.label | s |
 | tst.js:50:12:50:12 | s | semmle.label | s |
 | tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) |
+| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) |
+| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) |
 | tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) |
 | tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) |
 | tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) |
 | tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) |
+| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) |
 | tst.js:58:26:58:30 | bar() | semmle.label | bar() |
 | tst.js:60:34:60:34 | s | semmle.label | s |
 | tst.js:62:18:62:18 | s | semmle.label | s |
@@ -570,6 +576,10 @@ nodes
 | tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) |
 | tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) |
 | tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash |
+| tst.js:508:7:508:39 | target | semmle.label | target |
+| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search |
+| tst.js:509:18:509:23 | target | semmle.label | target |
+| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') |
 | typeahead.js:20:13:20:45 | target | semmle.label | target |
 | typeahead.js:20:22:20:45 | documen ... .search | semmle.label | documen ... .search |
 | typeahead.js:21:12:21:17 | target | semmle.label | target |
@@ -915,6 +925,7 @@ edges
 | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance |  |
 | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | Config |
 | tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | provenance |  |
+| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | provenance |  |
 | tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | provenance | Config |
 | tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ...  'px">' | provenance | Config |
 | tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance |  |
@@ -937,6 +948,8 @@ edges
 | tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance |  |
 | tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance |  |
 | tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance |  |
+| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance |  |
+| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | provenance |  |
 | tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | provenance |  |
 | tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | provenance | Config |
 | tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance |  |
@@ -945,6 +958,7 @@ edges
 | tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance |  |
 | tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance |  |
 | tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config |
+| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance |  |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance |  |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config |
@@ -952,6 +966,8 @@ edges
 | tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance |  |
 | tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance |  |
+| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance |  |
+| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance |  |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance |  |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config |
 | tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance |  |
@@ -1090,6 +1106,9 @@ edges
 | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config |
 | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config |
 | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance |  |
+| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance |  |
+| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance |  |
+| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance |  |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance |  |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance |  |
 | typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val | provenance |  |
@@ -1146,8 +1165,14 @@ subpaths
 | tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) |
 | tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | tst.js:46:16:46:45 | wrap(do ... search) |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) |
+| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) |
+| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) |
+| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) |
+| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) |
 | tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | tst.js:58:16:58:32 | wrap(chop(bar())) |
+| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | tst.js:58:16:58:32 | wrap(chop(bar())) |
+| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) |
 | tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) |
 | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '<div a ... </div>' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) |
 | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '<div a ... /div>') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) |
@@ -1375,6 +1400,7 @@ subpaths
 | tst.js:491:23:491:45 | locatio ... bstr(1) | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:491:23:491:35 | location.hash | user-provided value |
 | tst.js:494:18:494:40 | locatio ... bstr(1) | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:494:18:494:30 | location.hash | user-provided value |
 | tst.js:501:33:501:63 | decodeU ... n.hash) | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:501:43:501:62 | window.location.hash | user-provided value |
+| tst.js:509:18:509:54 | target. ... "), '') | tst.js:508:16:508:39 | documen ... .search | tst.js:509:18:509:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:508:16:508:39 | documen ... .search | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
 | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
 | various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -370,6 +370,7 @@ nodes
 | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | semmle.label | "<OPTIO ... PTION>" |
 | tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href |
 | tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) |
+| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) |
 | tst.js:12:5:12:42 | '<div s ...  'px">' | semmle.label | '<div s ...  'px">' |
 | tst.js:12:28:12:33 | target | semmle.label | target |
 | tst.js:17:7:17:56 | params | semmle.label | params |
@@ -395,19 +396,24 @@ nodes
 | tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) |
 | tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:42:15:42:15 | s | semmle.label | s |
+| tst.js:42:15:42:15 | s | semmle.label | s |
 | tst.js:43:10:43:31 | "<div>" ... </div>" | semmle.label | "<div>" ... </div>" |
 | tst.js:43:20:43:20 | s | semmle.label | s |
+| tst.js:43:20:43:20 | s | semmle.label | s |
 | tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) |
 | tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:48:15:48:15 | s | semmle.label | s |
 | tst.js:50:12:50:12 | s | semmle.label | s |
 | tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) |
+| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) |
+| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) |
 | tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) |
 | tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) |
 | tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) |
 | tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) |
+| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) |
 | tst.js:58:26:58:30 | bar() | semmle.label | bar() |
 | tst.js:60:34:60:34 | s | semmle.label | s |
 | tst.js:62:18:62:18 | s | semmle.label | s |
@@ -575,6 +581,10 @@ nodes
 | tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) |
 | tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) |
 | tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash |
+| tst.js:508:7:508:39 | target | semmle.label | target |
+| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search |
+| tst.js:509:18:509:23 | target | semmle.label | target |
+| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') |
 | typeahead.js:9:28:9:30 | loc | semmle.label | loc |
 | typeahead.js:10:16:10:18 | loc | semmle.label | loc |
 | typeahead.js:20:13:20:45 | target | semmle.label | target |
@@ -939,6 +949,7 @@ edges
 | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance |  |
 | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | Config |
 | tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | provenance |  |
+| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | provenance |  |
 | tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | provenance | Config |
 | tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ...  'px">' | provenance | Config |
 | tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance |  |
@@ -961,6 +972,8 @@ edges
 | tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance |  |
 | tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance |  |
 | tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance |  |
+| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance |  |
+| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | provenance |  |
 | tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | provenance |  |
 | tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | provenance | Config |
 | tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance |  |
@@ -969,6 +982,7 @@ edges
 | tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance |  |
 | tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance |  |
 | tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config |
+| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance |  |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance |  |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config |
@@ -976,6 +990,8 @@ edges
 | tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance |  |
 | tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance |  |
+| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance |  |
+| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance |  |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance |  |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config |
 | tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance |  |
@@ -1114,6 +1130,9 @@ edges
 | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config |
 | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config |
 | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance |  |
+| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance |  |
+| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance |  |
+| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance |  |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | provenance |  |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance |  |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance |  |
@@ -1182,8 +1201,14 @@ subpaths
 | tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) |
 | tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | tst.js:46:16:46:45 | wrap(do ... search) |
 | tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) |
+| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) |
+| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) |
+| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) |
+| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) |
 | tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) |
 | tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | tst.js:58:16:58:32 | wrap(chop(bar())) |
+| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "<div>" ... </div>" | tst.js:58:16:58:32 | wrap(chop(bar())) |
+| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) |
 | tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) |
 | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '<div a ... </div>' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) |
 | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '<div a ... /div>') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) |

javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -71,6 +71,7 @@ edges
 | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") | provenance |  |
 | passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") | provenance |  |
 | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | provenance |  |
+| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") | provenance |  |
 | passwords_in_server_5.js:4:7:4:24 | req.query.password | passwords_in_server_5.js:7:12:7:12 | x | provenance |  |
 | passwords_in_server_5.js:7:12:7:12 | x | passwords_in_server_5.js:8:17:8:17 | x | provenance |  |
 nodes
@@ -164,6 +165,8 @@ nodes
 | passwords.js:170:11:170:39 | passwor ... g, "*") | semmle.label | passwor ... g, "*") |
 | passwords.js:173:17:173:26 | myPassword | semmle.label | myPassword |
 | passwords.js:176:17:176:26 | myPasscode | semmle.label | myPasscode |
+| passwords.js:182:14:182:21 | password | semmle.label | password |
+| passwords.js:182:14:182:51 | passwor ... ), "*") | semmle.label | passwor ... ), "*") |
 | passwords_in_browser1.js:2:13:2:20 | password | semmle.label | password |
 | passwords_in_browser2.js:2:13:2:20 | password | semmle.label | password |
 | passwords_in_server_1.js:6:13:6:20 | password | semmle.label | password |
@@ -210,6 +213,7 @@ subpaths
 | passwords.js:170:11:170:39 | passwor ... g, "*") | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:170:11:170:18 | password | an access to password |
 | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | This logs sensitive data returned by $@ as clear text. | passwords.js:173:17:173:26 | myPassword | an access to myPassword |
 | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | This logs sensitive data returned by $@ as clear text. | passwords.js:176:17:176:26 | myPasscode | an access to myPasscode |
+| passwords.js:182:14:182:51 | passwor ... ), "*") | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:182:14:182:21 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialReDoS.expected

@@ -348,6 +348,9 @@ edges
 | polynomial-redos.js:132:18:132:24 | tainted | polynomial-redos.js:135:21:135:27 | tainted | provenance |  |
 | polynomial-redos.js:132:18:132:50 | tainted ... g, "e") | polynomial-redos.js:132:6:132:50 | modified2 | provenance |  |
 | polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:136:5:136:13 | modified3 | provenance |  |
+| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:140:2:140:10 | modified3 | provenance |  |
+| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:141:2:141:10 | modified3 | provenance |  |
+| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:142:2:142:10 | modified3 | provenance |  |
 | polynomial-redos.js:135:21:135:27 | tainted | polynomial-redos.js:135:21:135:47 | tainted ... /g, "") | provenance |  |
 | polynomial-redos.js:135:21:135:27 | tainted | polynomial-redos.js:138:5:138:11 | tainted | provenance |  |
 | polynomial-redos.js:135:21:135:47 | tainted ... /g, "") | polynomial-redos.js:135:9:135:47 | modified3 | provenance |  |
@@ -573,6 +576,9 @@ nodes
 | polynomial-redos.js:135:21:135:47 | tainted ... /g, "") | semmle.label | tainted ... /g, "") |
 | polynomial-redos.js:136:5:136:13 | modified3 | semmle.label | modified3 |
 | polynomial-redos.js:138:5:138:11 | tainted | semmle.label | tainted |
+| polynomial-redos.js:140:2:140:10 | modified3 | semmle.label | modified3 |
+| polynomial-redos.js:141:2:141:10 | modified3 | semmle.label | modified3 |
+| polynomial-redos.js:142:2:142:10 | modified3 | semmle.label | modified3 |
 subpaths
 #select
 | lib/closure.js:4:5:4:17 | /u*o/.test(x) | lib/closure.js:3:21:3:21 | x | lib/closure.js:4:16:4:16 | x | This $@ that depends on $@ may run slow on strings with many repetitions of 'u'. | lib/closure.js:4:6:4:7 | u* | regular expression | lib/closure.js:3:21:3:21 | x | library input |
@@ -673,3 +679,6 @@ subpaths
 | polynomial-redos.js:133:2:133:32 | modifie ... g, "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:133:2:133:10 | modified2 | This $@ that depends on $@ may run slow on strings starting with 'f' and with many repetitions of 'f'. | polynomial-redos.js:133:22:133:23 | f+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:136:5:136:35 | modifie ... g, "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:136:5:136:13 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:136:25:136:26 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:138:5:138:326 | tainted ... )C.*X/) | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:138:5:138:11 | tainted | This $@ that depends on $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | polynomial-redos.js:138:322:138:323 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:140:2:140:48 | modifie ... ), "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:140:2:140:10 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:140:33:140:34 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:141:2:141:59 | modifie ... ), "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:141:2:141:10 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:141:33:141:34 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:142:2:142:47 | modifie ... ), "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:142:2:142:10 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:142:33:142:34 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected

@@ -42,6 +42,11 @@ edges
 | RegExpInjection.js:87:25:87:48 | input.r ... g, "\|") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | provenance |  |
 | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | provenance |  |
 | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | provenance |  |
+| RegExpInjection.js:97:7:97:32 | input | RegExpInjection.js:99:19:99:23 | input | provenance |  |
+| RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:97:7:97:32 | input | provenance |  |
+| RegExpInjection.js:99:7:99:106 | sanitized | RegExpInjection.js:100:14:100:22 | sanitized | provenance |  |
+| RegExpInjection.js:99:19:99:23 | input | RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") | provenance |  |
+| RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") | RegExpInjection.js:99:7:99:106 | sanitized | provenance |  |
 | tst.js:5:9:5:29 | data | tst.js:6:21:6:24 | data | provenance |  |
 | tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data | provenance |  |
 | tst.js:6:21:6:24 | data | tst.js:6:16:6:35 | "^"+ data.name + "$" | provenance |  |
@@ -93,6 +98,12 @@ nodes
 | RegExpInjection.js:91:20:91:30 | process.env | semmle.label | process.env |
 | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` |
 | RegExpInjection.js:93:20:93:31 | process.argv | semmle.label | process.argv |
+| RegExpInjection.js:97:7:97:32 | input | semmle.label | input |
+| RegExpInjection.js:97:15:97:32 | req.param("input") | semmle.label | req.param("input") |
+| RegExpInjection.js:99:7:99:106 | sanitized | semmle.label | sanitized |
+| RegExpInjection.js:99:19:99:23 | input | semmle.label | input |
+| RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") | semmle.label | input.r ... "\\\\$&") |
+| RegExpInjection.js:100:14:100:22 | sanitized | semmle.label | sanitized |
 | tst.js:5:9:5:29 | data | semmle.label | data |
 | tst.js:5:16:5:29 | req.query.data | semmle.label | req.query.data |
 | tst.js:6:16:6:35 | "^"+ data.name + "$" | semmle.label | "^"+ data.name + "$" |
@@ -119,4 +130,5 @@ subpaths
 | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
 | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
 | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
+| RegExpInjection.js:100:14:100:22 | sanitized | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:100:14:100:22 | sanitized | This regular expression is constructed from a $@. | RegExpInjection.js:97:15:97:32 | req.param("input") | user-provided value |
 | tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected

@@ -106,6 +106,8 @@ edges
 | tst.js:102:17:102:38 | String( ... y.data) | tst.js:102:9:102:38 | taint | provenance |  |
 | tst.js:102:24:102:37 | req.query.data | tst.js:102:17:102:38 | String( ... y.data) | provenance | Config |
 | tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] | provenance | Config |
+| tst.js:130:9:130:19 | req.query.x | tst.js:130:9:130:52 | req.que ... '), '') | provenance | Config |
+| tst.js:130:9:130:52 | req.que ... '), '') | tst.js:130:5:130:53 | obj[req ... ), '')] | provenance | Config |
 nodes
 | lib.js:1:38:1:40 | obj | semmle.label | obj |
 | lib.js:1:43:1:46 | path | semmle.label | path |
@@ -232,6 +234,9 @@ nodes
 | tst.js:102:24:102:37 | req.query.data | semmle.label | req.query.data |
 | tst.js:105:5:105:17 | object[taint] | semmle.label | object[taint] |
 | tst.js:105:12:105:16 | taint | semmle.label | taint |
+| tst.js:130:5:130:53 | obj[req ... ), '')] | semmle.label | obj[req ... ), '')] |
+| tst.js:130:9:130:19 | req.query.x | semmle.label | req.query.x |
+| tst.js:130:9:130:52 | req.que ... '), '') | semmle.label | req.que ... '), '') |
 subpaths
 | tst.js:14:27:14:31 | taint | tst.js:55:29:55:32 | prop | tst.js:56:12:56:33 | obj ? o ...  : null | tst.js:14:5:14:32 | unsafeG ...  taint) |
 #select
@@ -261,3 +266,4 @@ subpaths
 | tst.js:94:5:94:37 | obj[req ... ', '')] | tst.js:94:9:94:19 | req.query.x | tst.js:94:5:94:37 | obj[req ... ', '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:94:9:94:19 | req.query.x | user controlled input |
 | tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input |
 | tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input |
+| tst.js:130:5:130:53 | obj[req ... ), '')] | tst.js:130:9:130:19 | req.query.x | tst.js:130:5:130:53 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:130:9:130:19 | req.query.x | user controlled input |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.expected

@@ -321,7 +321,6 @@ nodes
 | tests.js:306:34:306:41 | dst[key] | semmle.label | dst[key] |
 | tests.js:306:38:306:40 | key | semmle.label | key |
 | tests.js:306:44:306:48 | value | semmle.label | value |
-| tests.js:306:44:306:48 | value | semmle.label | value |
 | tests.js:308:17:308:19 | dst | semmle.label | dst |
 | tests.js:308:21:308:23 | key | semmle.label | key |
 | tests.js:308:28:308:32 | value | semmle.label | value |
@@ -340,7 +339,6 @@ nodes
 | tests.js:320:38:320:45 | dst[key] | semmle.label | dst[key] |
 | tests.js:320:42:320:44 | key | semmle.label | key |
 | tests.js:320:48:320:52 | value | semmle.label | value |
-| tests.js:320:48:320:52 | value | semmle.label | value |
 | tests.js:322:17:322:19 | dst | semmle.label | dst |
 | tests.js:322:21:322:23 | key | semmle.label | key |
 | tests.js:322:28:322:32 | value | semmle.label | value |
@@ -554,7 +552,6 @@ nodes
 | tests.js:498:21:498:28 | src[key] | semmle.label | src[key] |
 | tests.js:498:25:498:27 | key | semmle.label | key |
 | tests.js:500:38:500:42 | value | semmle.label | value |
-| tests.js:500:38:500:42 | value | semmle.label | value |
 | tests.js:502:17:502:19 | key | semmle.label | key |
 | tests.js:502:24:502:28 | value | semmle.label | value |
 | tests.js:508:30:508:32 | dst | semmle.label | dst |
@@ -998,7 +995,6 @@ edges
 | tests.js:306:34:306:41 | dst[key] | tests.js:301:27:301:29 | dst | provenance |  |
 | tests.js:306:38:306:40 | key | tests.js:306:34:306:41 | dst[key] | provenance | Config |
 | tests.js:306:44:306:48 | value | tests.js:301:32:301:34 | src | provenance |  |
-| tests.js:306:44:306:48 | value | tests.js:301:32:301:34 | src | provenance |  |
 | tests.js:314:31:314:33 | dst | tests.js:320:38:320:40 | dst | provenance |  |
 | tests.js:314:31:314:33 | dst | tests.js:322:17:322:19 | dst | provenance |  |
 | tests.js:314:36:314:38 | src | tests.js:318:25:318:27 | src | provenance |  |
@@ -1020,7 +1016,6 @@ edges
 | tests.js:320:38:320:45 | dst[key] | tests.js:314:31:314:33 | dst | provenance |  |
 | tests.js:320:42:320:44 | key | tests.js:320:38:320:45 | dst[key] | provenance | Config |
 | tests.js:320:48:320:52 | value | tests.js:314:36:314:38 | src | provenance |  |
-| tests.js:320:48:320:52 | value | tests.js:314:36:314:38 | src | provenance |  |
 | tests.js:328:25:328:27 | dst | tests.js:336:32:336:34 | dst | provenance |  |
 | tests.js:328:25:328:27 | dst | tests.js:338:17:338:19 | dst | provenance |  |
 | tests.js:328:30:328:32 | src | tests.js:336:42:336:44 | src | provenance |  |
@@ -1266,7 +1261,6 @@ edges
 | tests.js:498:21:498:28 | src[key] | tests.js:498:13:498:28 | value | provenance |  |
 | tests.js:498:25:498:27 | key | tests.js:498:21:498:28 | src[key] | provenance | Config |
 | tests.js:500:38:500:42 | value | tests.js:494:32:494:34 | src | provenance |  |
-| tests.js:500:38:500:42 | value | tests.js:494:32:494:34 | src | provenance |  |
 | tests.js:508:30:508:32 | dst | tests.js:513:33:513:35 | dst | provenance |  |
 | tests.js:508:30:508:32 | dst | tests.js:517:35:517:37 | dst | provenance |  |
 | tests.js:508:35:508:37 | src | tests.js:513:43:513:45 | src | provenance |  |