hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into js/membershiptest

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2020-06-02 08:54:44 +02:00
committed by GitHub
parent e172d55ecb 7265e94028
commit f9ed64fc45
617 changed files with 16819 additions and 10196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
javascript/ql/test/library-tests/AMD/AmdModuleDefinition.expected
View File

@@ -7,4 +7,5 @@
| tst3.js:1:1:3:2 | define( ... 42;\\n}) | tst3.js:1:8:3:1 | functio ... = 42;\\n} |
| tst4.js:1:1:11:2 | define( ... };\\n}) | tst4.js:6:11:11:1 | functio ... };\\n} |
| tst.js:1:1:6:2 | define( ... };\\n}) | tst.js:1:28:6:1 | functio ... };\\n} |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:1:18:1:24 | factory |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:9:9:14:1 | functio ... };\\n} |

5
javascript/ql/test/library-tests/AMD/AmdModuleExpr.expected
View File

@@ -5,4 +5,9 @@
| lib/nested/a.js:1:1:3:2 | define( ... 2 };\\n}) | lib/nested/a.js:2:12:2:22 | { foo: 42 } | lib/nested/a.js:2:12:2:22 | { foo: 42 } |
| tst4.js:1:1:11:2 | define( ... };\\n}) | tst4.js:7:12:10:5 | {\\n ... r\\n } | tst4.js:7:12:10:5 | {\\n ... r\\n } |
| tst.js:1:1:6:2 | define( ... };\\n}) | tst.js:2:12:5:5 | {\\n ... r\\n } | tst.js:2:12:5:5 | {\\n ... r\\n } |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:1:18:1:24 | factory | umd.js:1:18:1:24 | factory |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:1:18:1:24 | factory | umd.js:9:9:14:1 | functio ... };\\n} |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:1:18:1:24 | factory | umd.js:10:12:13:5 | {\\n ... r\\n } |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:10:12:13:5 | {\\n ... r\\n } | umd.js:1:18:1:24 | factory |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:10:12:13:5 | {\\n ... r\\n } | umd.js:9:9:14:1 | functio ... };\\n} |
| umd.js:4:9:4:43 | define( ... actory) | umd.js:10:12:13:5 | {\\n ... r\\n } | umd.js:10:12:13:5 | {\\n ... r\\n } |

10
javascript/ql/test/library-tests/DataFlow/argumentPassing.expected Normal file
View File

@@ -0,0 +1,10 @@
| arguments.js:11:5:11:14 | f(1, 2, 3) | arguments.js:11:7:11:7 | 1 | arguments.js:2:5:10:5 | functio ... ;\\n } | arguments.js:2:16:2:16 | x |
| arguments.js:11:5:11:14 | f(1, 2, 3) | arguments.js:11:7:11:7 | 1 | arguments.js:2:5:10:5 | functio ... ;\\n } | arguments.js:4:28:4:39 | arguments[0] |
| arguments.js:11:5:11:14 | f(1, 2, 3) | arguments.js:11:10:11:10 | 2 | arguments.js:2:5:10:5 | functio ... ;\\n } | arguments.js:5:25:5:36 | arguments[1] |
| arguments.js:11:5:11:14 | f(1, 2, 3) | arguments.js:11:13:11:13 | 3 | arguments.js:2:5:10:5 | functio ... ;\\n } | arguments.js:7:24:7:30 | args[2] |
| sources.js:3:1:5:6 | (functi ... \\n})(23) | sources.js:5:4:5:5 | 23 | sources.js:3:2:5:1 | functio ... x+19;\\n} | sources.js:3:11:3:11 | x |
| tst.js:16:1:20:9 | (functi ... ("arg") | tst.js:20:4:20:8 | "arg" | tst.js:16:2:20:1 | functio ... n "";\\n} | tst.js:16:13:16:13 | a |
| tst.js:35:1:35:7 | g(true) | tst.js:35:3:35:6 | true | tst.js:32:1:34:1 | functio ... ables\\n} | tst.js:32:12:32:12 | b |
| tst.js:44:1:44:5 | o.m() | tst.js:44:1:44:1 | o | tst.js:39:4:41:3 | () {\\n this;\\n } | tst.js:39:4:39:3 | this |
| tst.js:87:1:96:2 | (functi ... r: 0\\n}) | tst.js:92:4:96:1 | {\\n p: ... r: 0\\n} | tst.js:87:2:92:1 | functio ... + z;\\n} | tst.js:87:11:87:24 | { p: x, ...o } |
| tst.js:98:1:103:17 | (functi ... 3, 0 ]) | tst.js:103:4:103:16 | [ 19, 23, 0 ] | tst.js:98:2:103:1 | functio ... + z;\\n} | tst.js:98:11:98:24 | [ x, ...rest ] |

6
javascript/ql/test/library-tests/DataFlow/argumentPassing.ql Normal file
View File

@@ -0,0 +1,6 @@
import javascript
import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
from DataFlow::Node invk, DataFlow::Node arg, Function f, DataFlow::SourceNode parm
where FlowSteps::argumentPassing(invk, arg, f, parm)
select invk, arg, f, parm

12
javascript/ql/test/library-tests/DataFlow/arguments.js Normal file
View File

@@ -0,0 +1,12 @@
(function() {
function f(x) {
let firstArg = x;
let alsoFirstArg = arguments[0];
let secondArg = arguments[1];
let args = arguments;
let thirdArg = args[2];
arguments = {};
let notFirstArg = arguments[0];
}
f(1, 2, 3);
})();

47
javascript/ql/test/library-tests/DataFlow/enclosingExpr.expected
View File

@@ -1,3 +1,42 @@
| arguments.js:1:1:12:2 | (functi ... 3);\\n}) | arguments.js:1:1:12:2 | (functi ... 3);\\n}) |
| arguments.js:1:1:12:4 | (functi ... );\\n})() | arguments.js:1:1:12:4 | (functi ... );\\n})() |
| arguments.js:1:2:12:1 | functio ... , 3);\\n} | arguments.js:1:2:12:1 | functio ... , 3);\\n} |
| arguments.js:2:14:2:14 | f | arguments.js:2:14:2:14 | f |
| arguments.js:2:16:2:16 | x | arguments.js:2:16:2:16 | x |
| arguments.js:3:13:3:20 | firstArg | arguments.js:3:13:3:20 | firstArg |
| arguments.js:3:13:3:24 | firstArg = x | arguments.js:3:13:3:24 | firstArg = x |
| arguments.js:3:24:3:24 | x | arguments.js:3:24:3:24 | x |
| arguments.js:4:13:4:24 | alsoFirstArg | arguments.js:4:13:4:24 | alsoFirstArg |
| arguments.js:4:13:4:39 | alsoFir ... ents[0] | arguments.js:4:13:4:39 | alsoFir ... ents[0] |
| arguments.js:4:28:4:36 | arguments | arguments.js:4:28:4:36 | arguments |
| arguments.js:4:28:4:39 | arguments[0] | arguments.js:4:28:4:39 | arguments[0] |
| arguments.js:4:38:4:38 | 0 | arguments.js:4:38:4:38 | 0 |
| arguments.js:5:13:5:21 | secondArg | arguments.js:5:13:5:21 | secondArg |
| arguments.js:5:13:5:36 | secondA ... ents[1] | arguments.js:5:13:5:36 | secondA ... ents[1] |
| arguments.js:5:25:5:33 | arguments | arguments.js:5:25:5:33 | arguments |
| arguments.js:5:25:5:36 | arguments[1] | arguments.js:5:25:5:36 | arguments[1] |
| arguments.js:5:35:5:35 | 1 | arguments.js:5:35:5:35 | 1 |
| arguments.js:6:13:6:16 | args | arguments.js:6:13:6:16 | args |
| arguments.js:6:13:6:28 | args = arguments | arguments.js:6:13:6:28 | args = arguments |
| arguments.js:6:20:6:28 | arguments | arguments.js:6:20:6:28 | arguments |
| arguments.js:7:13:7:20 | thirdArg | arguments.js:7:13:7:20 | thirdArg |
| arguments.js:7:13:7:30 | thirdArg = args[2] | arguments.js:7:13:7:30 | thirdArg = args[2] |
| arguments.js:7:24:7:27 | args | arguments.js:7:24:7:27 | args |
| arguments.js:7:24:7:30 | args[2] | arguments.js:7:24:7:30 | args[2] |
| arguments.js:7:29:7:29 | 2 | arguments.js:7:29:7:29 | 2 |
| arguments.js:8:9:8:17 | arguments | arguments.js:8:9:8:17 | arguments |
| arguments.js:8:9:8:22 | arguments = {} | arguments.js:8:9:8:22 | arguments = {} |
| arguments.js:8:21:8:22 | {} | arguments.js:8:21:8:22 | {} |
| arguments.js:9:13:9:23 | notFirstArg | arguments.js:9:13:9:23 | notFirstArg |
| arguments.js:9:13:9:38 | notFirs ... ents[0] | arguments.js:9:13:9:38 | notFirs ... ents[0] |
| arguments.js:9:27:9:35 | arguments | arguments.js:9:27:9:35 | arguments |
| arguments.js:9:27:9:38 | arguments[0] | arguments.js:9:27:9:38 | arguments[0] |
| arguments.js:9:37:9:37 | 0 | arguments.js:9:37:9:37 | 0 |
| arguments.js:11:5:11:5 | f | arguments.js:11:5:11:5 | f |
| arguments.js:11:5:11:14 | f(1, 2, 3) | arguments.js:11:5:11:14 | f(1, 2, 3) |
| arguments.js:11:7:11:7 | 1 | arguments.js:11:7:11:7 | 1 |
| arguments.js:11:10:11:10 | 2 | arguments.js:11:10:11:10 | 2 |
| arguments.js:11:13:11:13 | 3 | arguments.js:11:13:11:13 | 3 |
| eval.js:1:10:1:10 | k | eval.js:1:10:1:10 | k |
| eval.js:2:7:2:7 | x | eval.js:2:7:2:7 | x |
| eval.js:2:7:2:12 | x = 42 | eval.js:2:7:2:12 | x = 42 |
@@ -9,14 +48,12 @@
| sources.js:1:1:1:12 | new (x => x) | sources.js:1:1:1:12 | new (x => x) |
| sources.js:1:5:1:12 | (x => x) | sources.js:1:5:1:12 | (x => x) |
| sources.js:1:6:1:6 | x | sources.js:1:6:1:6 | x |
| sources.js:1:6:1:6 | x | sources.js:1:6:1:6 | x |
| sources.js:1:6:1:11 | x => x | sources.js:1:6:1:11 | x => x |
| sources.js:1:11:1:11 | x | sources.js:1:11:1:11 | x |
| sources.js:3:1:5:2 | (functi ... +19;\\n}) | sources.js:3:1:5:2 | (functi ... +19;\\n}) |
| sources.js:3:1:5:6 | (functi ... \\n})(23) | sources.js:3:1:5:6 | (functi ... \\n})(23) |
| sources.js:3:2:5:1 | functio ... x+19;\\n} | sources.js:3:2:5:1 | functio ... x+19;\\n} |
| sources.js:3:11:3:11 | x | sources.js:3:11:3:11 | x |
| sources.js:3:11:3:11 | x | sources.js:3:11:3:11 | x |
| sources.js:4:10:4:10 | x | sources.js:4:10:4:10 | x |
| sources.js:4:10:4:13 | x+19 | sources.js:4:10:4:13 | x+19 |
| sources.js:4:12:4:13 | 19 | sources.js:4:12:4:13 | 19 |
@@ -24,7 +61,6 @@
| sources.js:7:1:7:3 | /x/ | sources.js:7:1:7:3 | /x/ |
| sources.js:9:10:9:12 | foo | sources.js:9:10:9:12 | foo |
| sources.js:9:14:9:18 | array | sources.js:9:14:9:18 | array |
| sources.js:9:14:9:18 | array | sources.js:9:14:9:18 | array |
| sources.js:10:12:10:14 | key | sources.js:10:12:10:14 | key |
| sources.js:10:12:10:14 | key | sources.js:10:12:10:14 | key |
| sources.js:10:19:10:23 | array | sources.js:10:19:10:23 | array |
@@ -61,7 +97,6 @@
| tst2.ts:13:39:13:38 | ...args | tst2.ts:13:39:13:38 | ...args |
| tst2.ts:13:39:13:38 | args | tst2.ts:13:39:13:38 | args |
| tst2.ts:13:39:13:38 | args | tst2.ts:13:39:13:38 | args |
| tst2.ts:13:39:13:38 | args | tst2.ts:13:39:13:38 | args |
| tst2.ts:13:39:13:38 | constructor | tst2.ts:13:39:13:38 | constructor |
| tst2.ts:13:39:13:38 | super | tst2.ts:13:39:13:38 | super |
| tst2.ts:13:39:13:38 | super(...args) | tst2.ts:13:39:13:38 | super(...args) |
@@ -102,7 +137,6 @@
| tst.js:16:2:20:1 | functio ... n "";\\n} | tst.js:16:2:20:1 | functio ... n "";\\n} |
| tst.js:16:11:16:11 | f | tst.js:16:11:16:11 | f |
| tst.js:16:13:16:13 | a | tst.js:16:13:16:13 | a |
| tst.js:16:13:16:13 | a | tst.js:16:13:16:13 | a |
| tst.js:17:7:17:10 | Math | tst.js:17:7:17:10 | Math |
| tst.js:17:7:17:17 | Math.random | tst.js:17:7:17:17 | Math.random |
| tst.js:17:7:17:19 | Math.random() | tst.js:17:7:17:19 | Math.random() |
@@ -127,7 +161,6 @@
| tst.js:29:3:29:3 | x | tst.js:29:3:29:3 | x |
| tst.js:32:10:32:10 | g | tst.js:32:10:32:10 | g |
| tst.js:32:12:32:12 | b | tst.js:32:12:32:12 | b |
| tst.js:32:12:32:12 | b | tst.js:32:12:32:12 | b |
| tst.js:33:10:33:10 | x | tst.js:33:10:33:10 | x |
| tst.js:35:1:35:1 | g | tst.js:35:1:35:1 | g |
| tst.js:35:1:35:7 | g(true) | tst.js:35:1:35:7 | g(true) |
@@ -225,7 +258,6 @@
| tst.js:87:1:96:2 | (functi ... r: 0\\n}) | tst.js:87:1:96:2 | (functi ... r: 0\\n}) |
| tst.js:87:2:92:1 | functio ... + z;\\n} | tst.js:87:2:92:1 | functio ... + z;\\n} |
| tst.js:87:11:87:24 | { p: x, ...o } | tst.js:87:11:87:24 | { p: x, ...o } |
| tst.js:87:11:87:24 | { p: x, ...o } | tst.js:87:11:87:24 | { p: x, ...o } |
| tst.js:87:13:87:13 | p | tst.js:87:13:87:13 | p |
| tst.js:87:16:87:16 | x | tst.js:87:16:87:16 | x |
| tst.js:87:22:87:22 | o | tst.js:87:22:87:22 | o |
@@ -258,7 +290,6 @@
| tst.js:98:1:103:17 | (functi ... 3, 0 ]) | tst.js:98:1:103:17 | (functi ... 3, 0 ]) |
| tst.js:98:2:103:1 | functio ... + z;\\n} | tst.js:98:2:103:1 | functio ... + z;\\n} |
| tst.js:98:11:98:24 | [ x, ...rest ] | tst.js:98:11:98:24 | [ x, ...rest ] |
| tst.js:98:11:98:24 | [ x, ...rest ] | tst.js:98:11:98:24 | [ x, ...rest ] |
| tst.js:98:13:98:13 | x | tst.js:98:13:98:13 | x |
| tst.js:98:19:98:22 | rest | tst.js:98:19:98:22 | rest |
| tst.js:99:7:99:11 | [ y ] | tst.js:99:7:99:11 | [ y ] |

18
javascript/ql/test/library-tests/DataFlow/flowStep.expected
View File

@@ -1,12 +1,28 @@
| arguments.js:1:2:12:1 | functio ... , 3);\\n} | arguments.js:1:1:12:2 | (functi ... 3);\\n}) |
| arguments.js:2:5:2:5 | arguments | arguments.js:4:28:4:36 | arguments |
| arguments.js:2:5:2:5 | arguments | arguments.js:5:25:5:33 | arguments |
| arguments.js:2:5:2:5 | arguments | arguments.js:6:20:6:28 | arguments |
| arguments.js:2:5:10:5 | functio ... ;\\n } | arguments.js:2:14:2:14 | f |
| arguments.js:2:14:2:14 | f | arguments.js:11:5:11:5 | f |
| arguments.js:2:16:2:16 | x | arguments.js:2:16:2:16 | x |
| arguments.js:2:16:2:16 | x | arguments.js:3:24:3:24 | x |
| arguments.js:6:13:6:28 | args | arguments.js:7:24:7:27 | args |
| arguments.js:6:20:6:28 | arguments | arguments.js:6:13:6:28 | args |
| arguments.js:8:9:8:22 | arguments | arguments.js:9:27:9:35 | arguments |
| arguments.js:8:21:8:22 | {} | arguments.js:8:9:8:22 | arguments |
| arguments.js:8:21:8:22 | {} | arguments.js:8:9:8:22 | arguments = {} |
| eval.js:2:7:2:12 | x | eval.js:4:3:4:3 | x |
| eval.js:2:11:2:12 | 42 | eval.js:2:7:2:12 | x |
| sources.js:1:6:1:6 | x | sources.js:1:6:1:6 | x |
| sources.js:1:6:1:6 | x | sources.js:1:11:1:11 | x |
| sources.js:1:6:1:11 | x => x | sources.js:1:5:1:12 | (x => x) |
| sources.js:1:11:1:11 | x | sources.js:1:1:1:12 | new (x => x) |
| sources.js:3:2:5:1 | functio ... x+19;\\n} | sources.js:3:1:5:2 | (functi ... +19;\\n}) |
| sources.js:3:11:3:11 | x | sources.js:3:11:3:11 | x |
| sources.js:3:11:3:11 | x | sources.js:4:10:4:10 | x |
| sources.js:4:10:4:13 | x+19 | sources.js:3:1:5:6 | (functi ... \\n})(23) |
| sources.js:5:4:5:5 | 23 | sources.js:3:11:3:11 | x |
| sources.js:9:14:9:18 | array | sources.js:9:14:9:18 | array |
| sources.js:9:14:9:18 | array | sources.js:10:19:10:23 | array |
| sources.js:9:14:9:18 | array | sources.js:11:23:11:27 | array |
| sources.js:10:12:10:14 | key | sources.js:10:28:10:30 | key |
@@ -27,6 +43,7 @@
| tst2.ts:11:11:11:13 | A.x | tst2.ts:11:11:11:23 | A.x as number |
| tst2.ts:13:26:13:29 | List | tst2.ts:13:26:13:37 | List<string> |
| tst2.ts:13:39:13:38 | args | tst2.ts:13:39:13:38 | args |
| tst2.ts:13:39:13:38 | args | tst2.ts:13:39:13:38 | args |
| tst.js:1:1:1:1 | x | tst.js:3:5:3:5 | x |
| tst.js:1:10:1:11 | fs | tst.js:1:10:1:11 | fs |
| tst.js:1:10:1:11 | fs | tst.js:7:1:7:2 | fs |
@@ -69,6 +86,7 @@
| tst.js:14:5:14:5 | x | tst.js:14:1:14:9 | z ? x : y |
| tst.js:14:9:14:9 | y | tst.js:14:1:14:9 | z ? x : y |
| tst.js:16:2:20:1 | functio ... n "";\\n} | tst.js:16:1:20:2 | (functi ... "";\\n}) |
| tst.js:16:13:16:13 | a | tst.js:16:13:16:13 | a |
| tst.js:16:13:16:13 | a | tst.js:18:12:18:12 | a |
| tst.js:18:12:18:12 | a | tst.js:16:1:20:9 | (functi ... ("arg") |
| tst.js:19:10:19:11 | "" | tst.js:16:1:20:9 | (functi ... ("arg") |

7
javascript/ql/test/library-tests/DataFlow/getIntValue.expected
View File

@@ -1,3 +1,10 @@
| arguments.js:4:38:4:38 | 0 | 0 |
| arguments.js:5:35:5:35 | 1 | 1 |
| arguments.js:7:29:7:29 | 2 | 2 |
| arguments.js:9:37:9:37 | 0 | 0 |
| arguments.js:11:7:11:7 | 1 | 1 |
| arguments.js:11:10:11:10 | 2 | 2 |
| arguments.js:11:13:11:13 | 3 | 3 |
| eval.js:2:11:2:12 | 42 | 42 |
| sources.js:4:12:4:13 | 19 | 19 |
| sources.js:5:4:5:5 | 23 | 23 |

12
javascript/ql/test/library-tests/DataFlow/incomplete.expected
View File

@@ -1,10 +1,19 @@
| arguments.js:1:1:12:4 | exceptional return of (functi ... );\\n})() | call |
| arguments.js:1:2:12:1 | exceptional return of anonymous function | call |
| arguments.js:2:5:10:5 | exceptional return of function f | call |
| arguments.js:2:16:2:16 | x | call |
| arguments.js:4:28:4:39 | arguments[0] | heap |
| arguments.js:5:25:5:36 | arguments[1] | heap |
| arguments.js:7:24:7:30 | args[2] | heap |
| arguments.js:9:27:9:38 | arguments[0] | heap |
| arguments.js:11:5:11:14 | exceptional return of f(1, 2, 3) | call |
| arguments.js:11:5:11:14 | f(1, 2, 3) | call |
| eval.js:1:1:5:1 | exceptional return of function k | call |
| eval.js:2:7:2:12 | x | eval |
| eval.js:3:3:3:6 | eval | global |
| eval.js:3:3:3:16 | eval("x = 23") | call |
| eval.js:3:3:3:16 | exceptional return of eval("x = 23") | call |
| sources.js:1:1:1:12 | exceptional return of new (x => x) | call |
| sources.js:1:6:1:6 | x | call |
| sources.js:1:6:1:11 | exceptional return of anonymous function | call |
| sources.js:3:1:5:6 | exceptional return of (functi ... \\n})(23) | call |
| sources.js:3:2:5:1 | exceptional return of anonymous function | call |
@@ -20,7 +29,6 @@
| tst2.ts:8:3:8:5 | A.x | heap |
| tst2.ts:11:11:11:13 | A.x | heap |
| tst2.ts:13:26:13:29 | List | global |
| tst2.ts:13:39:13:38 | args | call |
| tst2.ts:13:39:13:38 | exceptional return of default constructor of class StringList | call |
| tst2.ts:13:39:13:38 | exceptional return of super(...args) | call |
| tst2.ts:13:39:13:38 | super | call |

1
javascript/ql/test/library-tests/DataFlow/parameters.expected
View File

@@ -1,3 +1,4 @@
| arguments.js:2:16:2:16 | x |
| sources.js:1:6:1:6 | x |
| sources.js:3:11:3:11 | x |
| sources.js:9:14:9:18 | array |

13
javascript/ql/test/library-tests/DataFlow/sources.expected
View File

@@ -1,3 +1,16 @@
| arguments.js:1:1:1:0 | this |
| arguments.js:1:1:12:4 | (functi ... );\\n})() |
| arguments.js:1:2:1:1 | this |
| arguments.js:1:2:12:1 | functio ... , 3);\\n} |
| arguments.js:2:5:2:4 | this |
| arguments.js:2:5:10:5 | functio ... ;\\n } |
| arguments.js:2:16:2:16 | x |
| arguments.js:4:28:4:39 | arguments[0] |
| arguments.js:5:25:5:36 | arguments[1] |
| arguments.js:7:24:7:30 | args[2] |
| arguments.js:8:21:8:22 | {} |
| arguments.js:9:27:9:38 | arguments[0] |
| arguments.js:11:5:11:14 | f(1, 2, 3) |
| eval.js:1:1:1:0 | this |
| eval.js:1:1:1:0 | this |
| eval.js:1:1:5:1 | functio ... eval`\\n} |

1
javascript/ql/test/library-tests/DefUse/VarDefSource.expected
View File

@@ -32,4 +32,3 @@
| tst.js:11:11:11:11 | g | tst.js:11:2:15:1 | functio ... rn x;\\n} |
| tst.js:12:2:12:7 | x = 42 | tst.js:12:6:12:7 | 42 |
| tst.js:19:11:19:11 | x | tst.js:19:2:19:16 | function x() {} |
| tst.js:26:11:26:11 | a | tst.js:26:15:26:15 | b |

10
javascript/ql/test/library-tests/Flow/AbstractValues.expected
View File

@@ -168,6 +168,16 @@
| h.js:2:23:2:22 | default constructor of class C |
| h_import.js:1:1:3:0 | exports object of module h_import |
| h_import.js:1:1:3:0 | module object of module h_import |
| implicit-returns.js:1:1:27:0 | exports object of module implicit-returns |
| implicit-returns.js:1:1:27:0 | module object of module implicit-returns |
| implicit-returns.js:3:1:12:1 | function endWithLoop |
| implicit-returns.js:3:1:12:1 | instance of function endWithLoop |
| implicit-returns.js:14:1:16:1 | function useLoop |
| implicit-returns.js:14:1:16:1 | instance of function useLoop |
| implicit-returns.js:18:1:22:1 | function endWithShortIf |
| implicit-returns.js:18:1:22:1 | instance of function endWithShortIf |
| implicit-returns.js:24:1:26:1 | function useShortIf |
| implicit-returns.js:24:1:26:1 | instance of function useShortIf |
| import.js:1:1:13:0 | exports object of module import |
| import.js:1:1:13:0 | module object of module import |
| imports.ts:1:1:8:0 | exports object of module imports |

5
javascript/ql/test/library-tests/Flow/abseval.expected
View File

@@ -142,6 +142,11 @@
| globals.html:26:52:26:53 | x2 | globals.html:26:57:26:66 | someGlobal | file://:0:0:0:0 | non-zero value |
| globals.html:26:52:26:53 | x2 | globals.html:26:57:26:66 | someGlobal | file://:0:0:0:0 | true |
| h_import.js:2:5:2:6 | ff | h_import.js:2:10:2:10 | f | h.js:1:8:1:22 | function f |
| implicit-returns.js:4:9:4:9 | i | implicit-returns.js:4:13:4:13 | 0 | file://:0:0:0:0 | 0 |
| implicit-returns.js:15:9:15:9 | x | implicit-returns.js:15:13:15:25 | endWithLoop() | file://:0:0:0:0 | true |
| implicit-returns.js:15:9:15:9 | x | implicit-returns.js:15:13:15:25 | endWithLoop() | file://:0:0:0:0 | undefined |
| implicit-returns.js:25:9:25:9 | x | implicit-returns.js:25:13:25:28 | endWithShortIf() | file://:0:0:0:0 | true |
| implicit-returns.js:25:9:25:9 | x | implicit-returns.js:25:13:25:28 | endWithShortIf() | file://:0:0:0:0 | undefined |
| import.js:2:5:2:5 | m | import.js:2:9:2:13 | mixin | mixins.js:1:16:1:32 | anonymous function |
| import.js:5:5:5:7 | myf | import.js:5:11:5:11 | f | n.js:1:1:1:15 | function f |
| import.js:8:5:8:11 | someVar | import.js:8:15:8:23 | someStuff | file://:0:0:0:0 | indefinite value (call) |

4
javascript/ql/test/library-tests/Flow/getAPrototype.expected
View File

@@ -30,6 +30,10 @@
| globals.html:22:7:22:21 | instance of function x | globals.html:22:7:22:21 | instance of function x |
| globals.html:26:23:26:69 | instance of anonymous function | globals.html:26:23:26:69 | instance of anonymous function |
| h.js:1:8:1:22 | instance of function f | h.js:1:8:1:22 | instance of function f |
| implicit-returns.js:3:1:12:1 | instance of function endWithLoop | implicit-returns.js:3:1:12:1 | instance of function endWithLoop |
| implicit-returns.js:14:1:16:1 | instance of function useLoop | implicit-returns.js:14:1:16:1 | instance of function useLoop |
| implicit-returns.js:18:1:22:1 | instance of function endWithShortIf | implicit-returns.js:18:1:22:1 | instance of function endWithShortIf |
| implicit-returns.js:24:1:26:1 | instance of function useShortIf | implicit-returns.js:24:1:26:1 | instance of function useShortIf |
| instances.js:1:1:4:1 | instance of function A | instances.js:1:1:4:1 | instance of function A |
| instances.js:3:14:3:26 | instance of anonymous function | instances.js:3:14:3:26 | instance of anonymous function |
| instances.js:6:19:6:31 | instance of anonymous function | instances.js:6:19:6:31 | instance of anonymous function |

26
javascript/ql/test/library-tests/Flow/implicit-returns.js Normal file
View File

@@ -0,0 +1,26 @@
import 'dummy';
function endWithLoop() {
var i = 0;
while (i < 10) {
if (Math.random() * 10 < i) {
return true;
}
++i;
}
// Can fall over end
}
function useLoop() {
let x = endWithLoop(); // can be true or undefined
}
function endWithShortIf() {
if (something() < 10) {
return true;
}
}
function useShortIf() {
let x = endWithShortIf(); // true or undefined
}

3
javascript/ql/test/library-tests/Flow/types.expected
View File

@@ -78,6 +78,9 @@
| globals.html:26:40:26:41 | x1 | globals.html:26:45:26:45 | x | boolean, class, date, function, null, number, object, regular expression,string or undefined |
| globals.html:26:52:26:53 | x2 | globals.html:26:57:26:66 | someGlobal | boolean, class, date, function, null, number, object, regular expression,string or undefined |
| h_import.js:2:5:2:6 | ff | h_import.js:2:10:2:10 | f | function |
| implicit-returns.js:4:9:4:9 | i | implicit-returns.js:4:13:4:13 | 0 | number |
| implicit-returns.js:15:9:15:9 | x | implicit-returns.js:15:13:15:25 | endWithLoop() | boolean or undefined |
| implicit-returns.js:25:9:25:9 | x | implicit-returns.js:25:13:25:28 | endWithShortIf() | boolean or undefined |
| import.js:2:5:2:5 | m | import.js:2:9:2:13 | mixin | function |
| import.js:5:5:5:7 | myf | import.js:5:11:5:11 | f | function |
| import.js:8:5:8:11 | someVar | import.js:8:15:8:23 | someStuff | boolean, class, date, function, null, number, object, regular expression,string or undefined |

2
javascript/ql/test/library-tests/GlobalAccessPaths/GlobalAccessPaths.expected
View File

@@ -1,5 +1,6 @@
test_getAReferenceTo
| other_ns.js:2:11:2:12 | ns | NS |
| other_ns.js:2:11:2:12 | ns | NS |
| other_ns.js:3:3:3:4 | ns | NS |
| other_ns.js:3:3:3:8 | ns.foo | NS.foo |
| other_ns.js:3:3:3:12 | ns.foo.bar | NS.foo.bar |
@@ -43,6 +44,7 @@ test_getAReferenceTo
| test.js:14:17:14:19 | bar | bar |
| test.js:14:17:14:23 | bar.baz | bar.baz |
| test.js:22:11:22:12 | ns | NS |
| test.js:22:11:22:12 | ns | NS |
| test.js:23:3:23:4 | ns | NS |
| test.js:23:3:23:8 | ns.foo | NS.foo |
| test.js:23:3:23:12 | ns.foo.bar | NS.foo.bar |

18
javascript/ql/test/library-tests/InterProceduralFlow/TrackedNodes.expected
View File

@@ -1,37 +1,55 @@
| missing | callback.js:17:15:17:23 | "source2" | callback.js:8:16:8:20 | xs[i] |
| missing | callback.js:17:15:17:23 | "source2" | callback.js:12:16:12:16 | x |
| missing | callback.js:17:15:17:23 | "source2" | callback.js:12:16:12:16 | x |
| missing | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
| missing | promises.js:1:2:1:2 | source | promises.js:6:26:6:28 | val |
| missing | promises.js:1:2:1:2 | source | promises.js:6:26:6:28 | val |
| missing | promises.js:1:2:1:2 | source | promises.js:7:16:7:18 | val |
| missing | promises.js:1:2:1:2 | source | promises.js:37:11:37:11 | v |
| missing | promises.js:1:2:1:2 | source | promises.js:37:11:37:11 | v |
| missing | promises.js:1:2:1:2 | source | promises.js:38:32:38:32 | v |
| missing | promises.js:2:16:2:24 | "tainted" | promises.js:6:26:6:28 | val |
| missing | promises.js:2:16:2:24 | "tainted" | promises.js:6:26:6:28 | val |
| missing | promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
| missing | promises.js:2:16:2:24 | "tainted" | promises.js:37:11:37:11 | v |
| missing | promises.js:2:16:2:24 | "tainted" | promises.js:37:11:37:11 | v |
| missing | promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
| missing | promises.js:10:30:17:3 | exceptional return of anonymous function | promises.js:20:7:20:7 | v |
| missing | promises.js:10:30:17:3 | exceptional return of anonymous function | promises.js:20:7:20:7 | v |
| missing | promises.js:10:30:17:3 | exceptional return of anonymous function | promises.js:21:20:21:20 | v |
| missing | promises.js:10:30:17:3 | exceptional return of anonymous function | promises.js:23:19:23:19 | v |
| missing | promises.js:10:30:17:3 | exceptional return of anonymous function | promises.js:23:19:23:19 | v |
| missing | promises.js:10:30:17:3 | exceptional return of anonymous function | promises.js:24:20:24:20 | v |
| missing | promises.js:11:22:11:31 | "resolved" | promises.js:18:18:18:18 | v |
| missing | promises.js:11:22:11:31 | "resolved" | promises.js:18:18:18:18 | v |
| missing | promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |
| missing | promises.js:12:22:12:31 | "rejected" | promises.js:20:7:20:7 | v |
| missing | promises.js:12:22:12:31 | "rejected" | promises.js:20:7:20:7 | v |
| missing | promises.js:12:22:12:31 | "rejected" | promises.js:21:20:21:20 | v |
| missing | promises.js:12:22:12:31 | "rejected" | promises.js:23:19:23:19 | v |
| missing | promises.js:12:22:12:31 | "rejected" | promises.js:23:19:23:19 | v |
| missing | promises.js:12:22:12:31 | "rejected" | promises.js:24:20:24:20 | v |
| missing | promises.js:13:9:13:21 | exceptional return of Math.random() | promises.js:20:7:20:7 | v |
| missing | promises.js:13:9:13:21 | exceptional return of Math.random() | promises.js:20:7:20:7 | v |
| missing | promises.js:13:9:13:21 | exceptional return of Math.random() | promises.js:21:20:21:20 | v |
| missing | promises.js:13:9:13:21 | exceptional return of Math.random() | promises.js:23:19:23:19 | v |
| missing | promises.js:13:9:13:21 | exceptional return of Math.random() | promises.js:23:19:23:19 | v |
| missing | promises.js:13:9:13:21 | exceptional return of Math.random() | promises.js:24:20:24:20 | v |
| missing | promises.js:14:7:14:21 | exceptional return of res(res_source) | promises.js:20:7:20:7 | v |
| missing | promises.js:14:7:14:21 | exceptional return of res(res_source) | promises.js:20:7:20:7 | v |
| missing | promises.js:14:7:14:21 | exceptional return of res(res_source) | promises.js:21:20:21:20 | v |
| missing | promises.js:14:7:14:21 | exceptional return of res(res_source) | promises.js:23:19:23:19 | v |
| missing | promises.js:14:7:14:21 | exceptional return of res(res_source) | promises.js:23:19:23:19 | v |
| missing | promises.js:14:7:14:21 | exceptional return of res(res_source) | promises.js:24:20:24:20 | v |
| missing | promises.js:16:7:16:21 | exceptional return of rej(rej_source) | promises.js:20:7:20:7 | v |
| missing | promises.js:16:7:16:21 | exceptional return of rej(rej_source) | promises.js:20:7:20:7 | v |
| missing | promises.js:16:7:16:21 | exceptional return of rej(rej_source) | promises.js:21:20:21:20 | v |
| missing | promises.js:16:7:16:21 | exceptional return of rej(rej_source) | promises.js:23:19:23:19 | v |
| missing | promises.js:16:7:16:21 | exceptional return of rej(rej_source) | promises.js:23:19:23:19 | v |
| missing | promises.js:16:7:16:21 | exceptional return of rej(rej_source) | promises.js:24:20:24:20 | v |
| missing | promises.js:32:24:32:37 | "also tainted" | promises.js:37:11:37:11 | v |
| missing | promises.js:32:24:32:37 | "also tainted" | promises.js:37:11:37:11 | v |
| missing | promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
| missing | tst.js:2:17:2:22 | "src1" | tst.js:27:22:27:24 | elt |
| missing | tst.js:2:17:2:22 | "src1" | tst.js:27:22:27:24 | elt |
| missing | tst.js:2:17:2:22 | "src1" | tst.js:28:20:28:22 | elt |

6
javascript/ql/test/library-tests/LocalObjects/tst.js
View File

@@ -89,3 +89,9 @@
let bound = {};
bound::unknown();
});
(async function* f() {
yield* {
get p() { }
};
});

1
javascript/ql/test/library-tests/ModuleImportNodes/tests.expected
View File

@@ -1,4 +1,5 @@
test_ModuleImportNode
| amd1.js:1:25:1:26 | fs | fs | amd1.js:1:25:1:26 | fs | fs |
| amd1.js:1:25:1:26 | fs | fs | amd1.js:2:3:2:4 | fs | fs |
| amd2.js:2:12:2:24 | require('fs') | fs | amd2.js:3:3:3:4 | fs | fs |
| client1.ts:4:28:4:29 | F1 | framework1 | client1.ts:4:28:4:29 | F1 | F1 |

2
javascript/ql/test/library-tests/NodeJS/Require.expected
View File

@@ -11,6 +11,8 @@
| d.js:7:1:7:14 | require('foo') |
| e.js:5:1:5:18 | require("process") |
| f.js:2:1:2:7 | r("fs") |
| g.js:1:1:1:96 | (proces ... https") |
| g.js:1:43:1:61 | require("electron") |
| index.js:1:12:1:26 | require('path') |
| index.js:2:1:2:41 | require ... b.js")) |
| mjs-files/require-from-js.js:1:12:1:36 | require ... on-me') |

1
javascript/ql/test/library-tests/NodeJS/g.js Normal file
View File

@@ -0,0 +1 @@
(process && "renderer" === process.type ? require("electron").remote.require : require)("https");

1
javascript/ql/test/library-tests/PackageExports/index.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function notExportedAnyWhere() {}

1
javascript/ql/test/library-tests/PackageExports/lib1/bar.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function notImportedAnywhere() {}

3
javascript/ql/test/library-tests/PackageExports/lib1/foo.js Normal file
View File

@@ -0,0 +1,3 @@
module.exports = function thisIsRequiredFromMain() {}
module.exports.foo = function alsoExported() {}

1
javascript/ql/test/library-tests/PackageExports/lib1/index.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function alsoNotExported() {}

17
javascript/ql/test/library-tests/PackageExports/lib1/main.js Normal file
View File

@@ -0,0 +1,17 @@
module.exports = function isExported() {}
module.exports.foo = require("./foo.js")
module.exports.bar = class Bar {
constructor() {} // all are exported
static staticMethod() {}
instanceMethod() {}
}
class Baz {
constructor() {} // not exported
static staticMethod() {} // not exported
instanceMethod() {} // exported
}
module.exports.Baz = new Baz()

3
javascript/ql/test/library-tests/PackageExports/lib1/package.json Normal file
View File

@@ -0,0 +1,3 @@
{
"main": "main.js"
}

3
javascript/ql/test/library-tests/PackageExports/lib1/sublib/package.json Normal file
View File

@@ -0,0 +1,3 @@
{
"main": "sublib.js"
}

1
javascript/ql/test/library-tests/PackageExports/lib1/sublib/sublib.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function exportedInSublibButIsNotAMainPackageExport() {}

31
javascript/ql/test/library-tests/PackageExports/tests.expected Normal file
View File

@@ -0,0 +1,31 @@
getTopmostPackageJSON
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} |
getAValueExportedBy
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:1:1:0 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:1:1:53 | module. ... in() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:18:1:53 | functio ... in() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:1:3:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:1:3:18 | module.exports.foo |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:22:3:21 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:22:3:47 | functio ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:1:1:0 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:1:1:41 | module. ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:18:1:41 | functio ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:18 | module.exports.foo |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:40 | module. ... oo.js") |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:22:3:40 | require("./foo.js") |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:1:5:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:1:5:18 | module.exports.bar |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:22:9:1 | class B ... () {}\\n} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:6:16:6:20 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:7:5:7:28 | static ... od() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:7:24:7:28 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:8:19:8:23 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:14:19:14:23 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:1:17:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:1:17:18 | module.exports.Baz |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:22:17:30 | new Baz() |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:1:1:0 | this |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:1:1:73 | module. ... rt() {} |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:18:1:73 | functio ... rt() {} |

8
javascript/ql/test/library-tests/PackageExports/tests.ql Normal file
View File

@@ -0,0 +1,8 @@
import javascript
import semmle.javascript.PackageExports as Exports
query PackageJSON getTopmostPackageJSON() { result = Exports::getTopmostPackageJSON() }
query DataFlow::Node getAValueExportedBy(PackageJSON json) {
result = Exports::getAValueExportedBy(json)
}

1
javascript/ql/test/library-tests/Promises/AdditionalPromises.expected
View File

@@ -1,4 +1,5 @@
| additional-promises.js:2:13:2:57 | new Pin ... ct) {}) |
| flow2.js:4:2:4:31 | Promise ... lean"]) |
| flow.js:7:11:7:59 | new Pro ... ource)) |
| flow.js:10:11:10:58 | new Pro ... ource)) |
| flow.js:13:11:13:58 | new Pro ... ource)) |

21
javascript/ql/test/library-tests/Promises/flow2.js Normal file
View File

@@ -0,0 +1,21 @@
(async function () {
var source = "source";
Promise.all([source, "clean"]).then((arr) => {
sink(arr); // OK
sink(arr[0]); // NOT OK
sink(arr[1]); // OK
})
var [clean, tainted] = await Promise.all(["clean", source]);
sink(clean); // OK
sink(tainted); // NOT OK
var [clean2, tainted2] = await Promise.resolve(Promise.all(["clean", source]));
sink(clean2); // OK
sink(tainted2); // NOT OK
var [clean3, tainted3] = await Promise.all(["clean", Promise.resolve(source)]);
sink(clean3); // OK
sink(tainted3); // NOT OK - but only flagged by taint-tracking
});

28
javascript/ql/test/library-tests/Promises/tests.expected
View File

@@ -1,4 +1,14 @@
test_ResolvedPromiseDefinition
| flow2.js:4:2:4:31 | Promise ... lean"]) | flow2.js:4:15:4:20 | source |
| flow2.js:4:2:4:31 | Promise ... lean"]) | flow2.js:4:23:4:29 | "clean" |
| flow2.js:10:31:10:60 | Promise ... ource]) | flow2.js:10:44:10:50 | "clean" |
| flow2.js:10:31:10:60 | Promise ... ource]) | flow2.js:10:53:10:58 | source |
| flow2.js:14:33:14:79 | Promise ... urce])) | flow2.js:14:49:14:78 | Promise ... ource]) |
| flow2.js:14:49:14:78 | Promise ... ource]) | flow2.js:14:62:14:68 | "clean" |
| flow2.js:14:49:14:78 | Promise ... ource]) | flow2.js:14:71:14:76 | source |
| flow2.js:18:33:18:79 | Promise ... urce)]) | flow2.js:18:46:18:52 | "clean" |
| flow2.js:18:33:18:79 | Promise ... urce)]) | flow2.js:18:55:18:77 | Promise ... source) |
| flow2.js:18:55:18:77 | Promise ... source) | flow2.js:18:71:18:76 | source |
| flow.js:4:11:4:33 | Promise ... source) | flow.js:4:27:4:32 | source |
| flow.js:20:2:20:24 | Promise ... source) | flow.js:20:18:20:23 | source |
| flow.js:22:2:22:24 | Promise ... source) | flow.js:22:18:22:23 | source |
@@ -188,6 +198,9 @@ test_PromiseDefinition_getACatchHandler
| flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:56:119:68 | x => resolved |
| promises.js:10:18:17:4 | new Pro ... );\\n }) | promises.js:23:18:25:3 | (v) => ... v;\\n } |
flow
| flow2.js:2:15:2:22 | "source" | flow2.js:6:8:6:13 | arr[0] |
| flow2.js:2:15:2:22 | "source" | flow2.js:12:7:12:13 | tainted |
| flow2.js:2:15:2:22 | "source" | flow2.js:16:7:16:14 | tainted2 |
| flow.js:2:15:2:22 | "source" | flow.js:5:7:5:14 | await p1 |
| flow.js:2:15:2:22 | "source" | flow.js:8:7:8:14 | await p2 |
| flow.js:2:15:2:22 | "source" | flow.js:17:8:17:8 | e |
@@ -220,8 +233,23 @@ flow
| flow.js:2:15:2:22 | "source" | flow.js:129:69:129:69 | x |
| flow.js:2:15:2:22 | "source" | flow.js:131:43:131:43 | x |
exclusiveTaintFlow
| flow2.js:2:15:2:22 | "source" | flow2.js:20:7:20:14 | tainted3 |
| interflow.js:3:18:3:25 | "source" | interflow.js:18:10:18:14 | error |
typetrack
| flow2.js:4:2:4:31 | Promise ... lean"]) | flow2.js:4:14:4:30 | [source, "clean"] | copy $PromiseResolveField$ |
| flow2.js:4:2:4:31 | Promise ... lean"]) | flow2.js:4:14:4:30 | [source, "clean"] | store $PromiseResolveField$ |
| flow2.js:4:39:4:41 | arr | flow2.js:4:2:4:31 | Promise ... lean"]) | load $PromiseResolveField$ |
| flow2.js:10:25:10:60 | await P ... ource]) | flow2.js:10:31:10:60 | Promise ... ource]) | load $PromiseResolveField$ |
| flow2.js:10:31:10:60 | Promise ... ource]) | flow2.js:10:43:10:59 | ["clean", source] | copy $PromiseResolveField$ |
| flow2.js:10:31:10:60 | Promise ... ource]) | flow2.js:10:43:10:59 | ["clean", source] | store $PromiseResolveField$ |
| flow2.js:14:27:14:79 | await P ... urce])) | flow2.js:14:33:14:79 | Promise ... urce])) | load $PromiseResolveField$ |
| flow2.js:14:33:14:79 | Promise ... urce])) | flow2.js:14:49:14:78 | Promise ... ource]) | copy $PromiseResolveField$ |
| flow2.js:14:33:14:79 | Promise ... urce])) | flow2.js:14:49:14:78 | Promise ... ource]) | store $PromiseResolveField$ |
| flow2.js:14:49:14:78 | Promise ... ource]) | flow2.js:14:61:14:77 | ["clean", source] | copy $PromiseResolveField$ |
| flow2.js:14:49:14:78 | Promise ... ource]) | flow2.js:14:61:14:77 | ["clean", source] | store $PromiseResolveField$ |
| flow2.js:18:27:18:79 | await P ... urce)]) | flow2.js:18:33:18:79 | Promise ... urce)]) | load $PromiseResolveField$ |
| flow2.js:18:33:18:79 | Promise ... urce)]) | flow2.js:18:45:18:78 | ["clean ... ource)] | copy $PromiseResolveField$ |
| flow2.js:18:33:18:79 | Promise ... urce)]) | flow2.js:18:45:18:78 | ["clean ... ource)] | store $PromiseResolveField$ |
| flow.js:20:2:20:43 | Promise ... ink(x)) | flow.js:20:36:20:42 | sink(x) | copy $PromiseResolveField$ |
| flow.js:20:2:20:43 | Promise ... ink(x)) | flow.js:20:36:20:42 | sink(x) | store $PromiseResolveField$ |
| flow.js:20:31:20:31 | x | flow.js:20:2:20:24 | Promise ... source) | load $PromiseResolveField$ |

2
javascript/ql/test/library-tests/PropWrite/tests.expected
View File

@@ -133,7 +133,6 @@ test_hasPropertyWrite
| classes.ts:8:3:8:2 | this | parameterField | classes.ts:8:22:8:35 | parameterField |
| classes.ts:12:5:12:4 | this | parameterField | classes.ts:12:24:12:37 | parameterField |
| classes.ts:16:5:16:4 | this | parameterField | classes.ts:16:24:16:37 | parameterField |
| classes.ts:16:5:16:4 | this | parameterField | classes.ts:16:41:16:42 | {} |
| tst.js:1:11:9:1 | {\\n x ... }\\n} | f | tst.js:6:6:8:5 | () {\\n ... ;\\n } |
| tst.js:1:11:9:1 | {\\n x ... }\\n} | func | tst.js:3:11:5:5 | functio ... ;\\n } |
| tst.js:1:11:9:1 | {\\n x ... }\\n} | x | tst.js:2:8:2:8 | 4 |
@@ -257,7 +256,6 @@ test_PropWriteRhs
| classes.ts:12:17:12:37 | public ... erField | classes.ts:12:24:12:37 | parameterField |
| classes.ts:16:5:16:46 | constru ... {}) {} | classes.ts:16:5:16:46 | constru ... {}) {} |
| classes.ts:16:17:16:37 | public ... erField | classes.ts:16:24:16:37 | parameterField |
| classes.ts:16:17:16:37 | public ... erField | classes.ts:16:41:16:42 | {} |
| tst.js:2:5:2:8 | x: 4 | tst.js:2:8:2:8 | 4 |
| tst.js:3:5:5:5 | func: f ... ;\\n } | tst.js:3:11:5:5 | functio ... ;\\n } |
| tst.js:6:5:8:5 | f() {\\n ... ;\\n } | tst.js:6:6:8:5 | () {\\n ... ;\\n } |

1
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -31,6 +31,7 @@ typeInferenceMismatch
| callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
| callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
| callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
| capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
| captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
| closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
| closure.js:6:15:6:22 | source() | closure.js:9:8:9:25 | string.trim(taint) |

1
javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
View File

@@ -22,6 +22,7 @@
| callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
| callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
| callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
| capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
| captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |

19
javascript/ql/test/library-tests/TaintTracking/capture-flow.js Normal file
View File

@@ -0,0 +1,19 @@
import 'dummy';
function outerMost() {
function outer() {
var captured;
function f(x) {
captured = x;
}
f(source());
return captured;
}
sink(outer()); // NOT OK
return outer();
}
sink(outerMost()); // NOT OK - but missed

8
javascript/ql/test/library-tests/TypeScript/CallResolution/CallResolution.expected
View File

@@ -4,16 +4,16 @@
| tst.ts:55:3:55:27 | obj.ove ... od(num) | (x: number): number | 0 |
| tst.ts:56:3:56:27 | obj.ove ... od(str) | (x: string): string | 1 |
| tst.ts:57:3:57:26 | obj.ove ... hod([]) | (x: any): any | 2 |
| tst.ts:58:3:58:36 | obj.gen ... ([num]) | (x: number[]): number | 0 |
| tst.ts:59:3:59:39 | obj.gen ... : str}) | (x: Box<string>): string | 1 |
| tst.ts:58:3:58:36 | obj.gen ... ([num]) | (x: number[]): T | 0 |
| tst.ts:59:3:59:39 | obj.gen ... : str}) | (x: Box<string>): T | 1 |
| tst.ts:60:3:60:34 | obj.gen ... od(num) | (x: any): any | 2 |
| tst.ts:64:3:64:23 | obj.sim ... od(str) | (x: string): number | 0 |
| tst.ts:65:3:65:24 | obj.gen ... od(str) | (x: string): string | 0 |
| tst.ts:66:3:66:24 | obj.gen ... od(num) | (x: number): number | 0 |
| tst.ts:67:3:67:27 | obj.ove ... od(num) | (x: number): number | 0 |
| tst.ts:68:3:68:27 | obj.ove ... od(str) | (x: string): string | 1 |
| tst.ts:69:3:69:36 | obj.gen ... ([num]) | (x: number[]): number | 0 |
| tst.ts:70:3:70:39 | obj.gen ... : str}) | (x: Box<string>): string | 1 |
| tst.ts:69:3:69:36 | obj.gen ... ([num]) | (x: number[]): T | 0 |
| tst.ts:70:3:70:39 | obj.gen ... : str}) | (x: Box<string>): T | 1 |
| tst.ts:74:3:74:28 | new Sim ... or(str) | new (x: string): SimpleConstructor | 0 |
| tst.ts:75:3:75:29 | new Gen ... or(str) | new (x: string): GenericConstructor<string> | 0 |
| tst.ts:76:3:76:29 | new Gen ... or(num) | new (x: number): GenericConstructor<number> | 0 |

28
javascript/ql/test/library-tests/TypeScript/CallSignatureTypes/test.expected
View File

@@ -108,36 +108,36 @@ test_FunctionCallSig
| tst.ts:63:3:63:23 | method2 ... ing[]); | (y: string[]): any |
| tst.ts:64:3:64:21 | method3(y: string); | (y: string): any |
test_getRestParameterType
| (...items: (string \| ConcatArray<string>)[]): string[] | string \| ConcatArray<string> |
| (...items: ConcatArray<string>[]): string[] | ConcatArray<string> |
| (...items: (string \| ConcatArray<string>)[]): T[] | string \| ConcatArray<string> |
| (...items: ConcatArray<string>[]): T[] | ConcatArray<string> |
| (...items: string[]): number | string |
| (...strings: string[]): string | string |
| (...y: string[]): any | string |
| (start: number, deleteCount: number, ...items: string[]): string[] | string |
| (start: number, deleteCount: number, ...items: string[]): T[] | string |
| (substring: string, ...args: any[]): string | any |
| (x: number, ...y: string[]): any | string |
| new (...y: string[]): any | string |
| new (x: number, ...y: string[]): any | string |
test_getRestParameterArray
| (...items: (string \| ConcatArray<string>)[]): string[] | (string \| ConcatArray<string>)[] |
| (...items: ConcatArray<string>[]): string[] | ConcatArray<string>[] |
| (...items: (string \| ConcatArray<string>)[]): T[] | (string \| ConcatArray<string>)[] |
| (...items: ConcatArray<string>[]): T[] | ConcatArray<string>[] |
| (...items: string[]): number | string[] |
| (...strings: string[]): string | string[] |
| (...y: string[]): any | string[] |
| (start: number, deleteCount: number, ...items: string[]): string[] | string[] |
| (start: number, deleteCount: number, ...items: string[]): T[] | string[] |
| (substring: string, ...args: any[]): string | any[] |
| (x: number, ...y: string[]): any | string[] |
| new (...y: string[]): any | string[] |
| new (x: number, ...y: string[]): any | string[] |
test_RestSig_getParameter
| (...items: (string \| ConcatArray<string>)[]): string[] | 0 | items | string \| ConcatArray<string> |
| (...items: ConcatArray<string>[]): string[] | 0 | items | ConcatArray<string> |
| (...items: (string \| ConcatArray<string>)[]): T[] | 0 | items | string \| ConcatArray<string> |
| (...items: ConcatArray<string>[]): T[] | 0 | items | ConcatArray<string> |
| (...items: string[]): number | 0 | items | string |
| (...strings: string[]): string | 0 | strings | string |
| (...y: string[]): any | 0 | y | string |
| (start: number, deleteCount: number, ...items: string[]): string[] | 0 | start | number |
| (start: number, deleteCount: number, ...items: string[]): string[] | 1 | deleteCount | number |
| (start: number, deleteCount: number, ...items: string[]): string[] | 2 | items | string |
| (start: number, deleteCount: number, ...items: string[]): T[] | 0 | start | number |
| (start: number, deleteCount: number, ...items: string[]): T[] | 1 | deleteCount | number |
| (start: number, deleteCount: number, ...items: string[]): T[] | 2 | items | string |
| (substring: string, ...args: any[]): string | 0 | substring | string |
| (substring: string, ...args: any[]): string | 1 | args | any |
| (x: number, ...y: string[]): any | 0 | x | number |
@@ -146,12 +146,12 @@ test_RestSig_getParameter
| new (x: number, ...y: string[]): any | 0 | x | number |
| new (x: number, ...y: string[]): any | 1 | y | string |
test_RestSig_numRequiredParams
| (...items: (string \| ConcatArray<string>)[]): string[] | 0 |
| (...items: ConcatArray<string>[]): string[] | 0 |
| (...items: (string \| ConcatArray<string>)[]): T[] | 0 |
| (...items: ConcatArray<string>[]): T[] | 0 |
| (...items: string[]): number | 0 |
| (...strings: string[]): string | 0 |
| (...y: string[]): any | 0 |
| (start: number, deleteCount: number, ...items: string[]): string[] | 2 |
| (start: number, deleteCount: number, ...items: string[]): T[] | 2 |
| (substring: string, ...args: any[]): string | 1 |
| (x: number, ...y: string[]): any | 1 |
| new (...y: string[]): any | 0 |

30
javascript/ql/test/library-tests/frameworks/AngularJS/scopes/ScopeAccess.expected
View File

@@ -1,9 +1,13 @@
| isolate scope for directive1 | scope-access.js:4:41:4:45 | scope |
| isolate scope for directive1 | scope-access.js:5:17:5:21 | scope |
| isolate scope for directive1 | scope-access.js:7:20:7:21 | {} |
| isolate scope for directive2 | scope-access.js:12:34:12:39 | $scope |
| isolate scope for directive2 | scope-access.js:13:17:13:22 | $scope |
| isolate scope for directive2 | scope-access.js:15:20:15:21 | {} |
| isolate scope for directive3 | scope-access.js:20:39:20:44 | $scope |
| isolate scope for directive3 | scope-access.js:21:17:21:22 | $scope |
| isolate scope for directive3 | scope-access.js:23:20:23:21 | {} |
| isolate scope for directive4 | scope-access.js:28:45:28:45 | a |
| isolate scope for directive4 | scope-access.js:29:17:29:17 | a |
| isolate scope for directive4 | scope-access.js:31:20:31:21 | {} |
| isolate scope for directive5 | scope-access.js:37:17:37:20 | this |
@@ -12,51 +16,77 @@
| isolate scope for directive6 | scope-access.js:48:20:48:21 | {} |
| isolate scope for myCustomer | dev-guide-5.js:11:12:13:5 | { // Sc ... y\\n } |
| isolate scope for myCustomer | dev-guide-6.js:11:12:13:5 | { // Sc ... y\\n } |
| scope for <directive7>...</> | scope-access.js:54:34:54:39 | $scope |
| scope for <directive7>...</> | scope-access.js:55:17:55:22 | $scope |
| scope for <div>...</> | dev-guide-1.js:4:49:4:54 | $scope |
| scope for <div>...</> | dev-guide-1.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-1.js:7:3:7:8 | $scope |
| scope for <div>...</> | dev-guide-1.js:8:5:8:10 | $scope |
| scope for <div>...</> | dev-guide-1.js:8:34:8:39 | $scope |
| scope for <div>...</> | dev-guide-2.js:4:66:4:71 | $scope |
| scope for <div>...</> | dev-guide-2.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-2.js:8:51:8:56 | $scope |
| scope for <div>...</> | dev-guide-2.js:9:3:9:8 | $scope |
| scope for <div>...</> | dev-guide-3.js:4:52:4:57 | $scope |
| scope for <div>...</> | dev-guide-3.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-3.js:6:3:6:8 | $scope |
| scope for <div>...</> | dev-guide-3.js:7:5:7:10 | $scope |
| scope for <div>...</> | dev-guide-4.js:4:52:4:57 | $scope |
| scope for <div>...</> | dev-guide-4.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-4.js:10:51:10:56 | $scope |
| scope for <div>...</> | dev-guide-4.js:11:3:11:8 | $scope |
| scope for <div>...</> | dev-guide-5.js:4:47:4:52 | $scope |
| scope for <div>...</> | dev-guide-5.js:4:47:4:52 | $scope |
| scope for <div>...</> | dev-guide-5.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-5.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-5.js:6:3:6:8 | $scope |
| scope for <div>...</> | dev-guide-5.js:6:3:6:8 | $scope |
| scope for <div>...</> | dev-guide-6.js:4:47:4:52 | $scope |
| scope for <div>...</> | dev-guide-6.js:4:47:4:52 | $scope |
| scope for <div>...</> | dev-guide-6.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-6.js:5:3:5:8 | $scope |
| scope for <div>...</> | dev-guide-6.js:6:3:6:8 | $scope |
| scope for <div>...</> | dev-guide-6.js:6:3:6:8 | $scope |
| scope for <elementthatusescontroller1>...</> | scope-access.js:59:52:59:57 | $scope |
| scope for <elementthatusescontroller1>...</> | scope-access.js:60:9:60:14 | $scope |
| scope for <li>...</> | dev-guide-3.js:4:52:4:57 | $scope |
| scope for <li>...</> | dev-guide-3.js:4:52:4:57 | $scope |
| scope for <li>...</> | dev-guide-3.js:5:3:5:8 | $scope |
| scope for <li>...</> | dev-guide-3.js:5:3:5:8 | $scope |
| scope for <li>...</> | dev-guide-3.js:6:3:6:8 | $scope |
| scope for <li>...</> | dev-guide-3.js:6:3:6:8 | $scope |
| scope for <li>...</> | dev-guide-3.js:7:5:7:10 | $scope |
| scope for <li>...</> | dev-guide-3.js:7:5:7:10 | $scope |
| scope in dev-guide-1.html | dev-guide-1.js:4:49:4:54 | $scope |
| scope in dev-guide-1.html | dev-guide-1.js:5:3:5:8 | $scope |
| scope in dev-guide-1.html | dev-guide-1.js:7:3:7:8 | $scope |
| scope in dev-guide-1.html | dev-guide-1.js:8:5:8:10 | $scope |
| scope in dev-guide-1.html | dev-guide-1.js:8:34:8:39 | $scope |
| scope in dev-guide-2.html | dev-guide-2.js:4:66:4:71 | $scope |
| scope in dev-guide-2.html | dev-guide-2.js:5:3:5:8 | $scope |
| scope in dev-guide-2.html | dev-guide-2.js:8:51:8:56 | $scope |
| scope in dev-guide-2.html | dev-guide-2.js:9:3:9:8 | $scope |
| scope in dev-guide-3.html | dev-guide-3.js:4:52:4:57 | $scope |
| scope in dev-guide-3.html | dev-guide-3.js:5:3:5:8 | $scope |
| scope in dev-guide-3.html | dev-guide-3.js:6:3:6:8 | $scope |
| scope in dev-guide-3.html | dev-guide-3.js:7:5:7:10 | $scope |
| scope in dev-guide-4.html | dev-guide-4.js:4:52:4:57 | $scope |
| scope in dev-guide-4.html | dev-guide-4.js:5:3:5:8 | $scope |
| scope in dev-guide-4.html | dev-guide-4.js:10:51:10:56 | $scope |
| scope in dev-guide-4.html | dev-guide-4.js:11:3:11:8 | $scope |
| scope in dev-guide-5.html | dev-guide-5.js:4:47:4:52 | $scope |
| scope in dev-guide-5.html | dev-guide-5.js:5:3:5:8 | $scope |
| scope in dev-guide-5.html | dev-guide-5.js:6:3:6:8 | $scope |
| scope in dev-guide-5.html | dev-guide-6.js:4:47:4:52 | $scope |
| scope in dev-guide-5.html | dev-guide-6.js:5:3:5:8 | $scope |
| scope in dev-guide-5.html | dev-guide-6.js:6:3:6:8 | $scope |
| scope in dev-guide-6.html | dev-guide-5.js:4:47:4:52 | $scope |
| scope in dev-guide-6.html | dev-guide-5.js:5:3:5:8 | $scope |
| scope in dev-guide-6.html | dev-guide-5.js:6:3:6:8 | $scope |
| scope in dev-guide-6.html | dev-guide-6.js:4:47:4:52 | $scope |
| scope in dev-guide-6.html | dev-guide-6.js:5:3:5:8 | $scope |
| scope in dev-guide-6.html | dev-guide-6.js:6:3:6:8 | $scope |
| scope in scope-access.html | scope-access.js:54:34:54:39 | $scope |
| scope in scope-access.html | scope-access.js:55:17:55:22 | $scope |
| scope in scope-access.html | scope-access.js:59:52:59:57 | $scope |
| scope in scope-access.html | scope-access.js:60:9:60:14 | $scope |

1
javascript/ql/test/library-tests/frameworks/Electron/BrowserObject.expected
View File

@@ -3,6 +3,7 @@
| electron.js:4:5:4:46 | bv |
| electron.js:4:10:4:46 | new Bro ... s: {}}) |
| electron.js:35:14:35:14 | x |
| electron.js:35:14:35:14 | x |
| electron.js:36:12:36:12 | x |
| electron.js:39:1:39:7 | foo(bw) |
| electron.js:39:5:39:6 | bw |

166
javascript/ql/test/library-tests/frameworks/Express/tests.expected
View File

@@ -182,16 +182,30 @@ test_RouterDefinition_getMiddlewareStackAt
| src/subrouter.js:2:11:2:19 | express() | src/subrouter.js:7:1:12:1 | functio ... uter;\\n} | src/subrouter.js:5:14:5:28 | makeSubRouter() |
| src/subrouter.js:2:11:2:19 | express() | src/subrouter.js:13:1:13:0 | exit node of <toplevel> | src/subrouter.js:5:14:5:28 | makeSubRouter() |
test_isRequest
| src/csurf-example.js:20:28:20:30 | req |
| src/csurf-example.js:22:35:22:37 | req |
| src/csurf-example.js:25:32:25:34 | req |
| src/csurf-example.js:32:40:32:42 | req |
| src/csurf-example.js:39:36:39:38 | req |
| src/csurf-example.js:40:37:40:39 | req |
| src/exportedHandler.js:1:44:1:46 | req |
| src/express2.js:3:34:3:36 | req |
| src/express2.js:3:46:3:48 | req |
| src/express2.js:4:41:4:47 | request |
| src/express2.js:4:60:4:66 | request |
| src/express3.js:4:32:4:34 | req |
| src/express3.js:5:14:5:16 | req |
| src/express3.js:5:35:5:37 | req |
| src/express3.js:10:22:10:24 | req |
| src/express4.js:4:32:4:34 | req |
| src/express4.js:5:27:5:29 | req |
| src/express4.js:6:18:6:20 | req |
| src/express4.js:7:18:7:20 | req |
| src/express.js:4:32:4:34 | req |
| src/express.js:5:16:5:18 | req |
| src/express.js:6:26:6:28 | req |
| src/express.js:16:28:16:30 | req |
| src/express.js:22:39:22:41 | req |
| src/express.js:23:3:23:5 | req |
| src/express.js:24:3:24:5 | req |
| src/express.js:25:3:25:5 | req |
@@ -200,15 +214,28 @@ test_isRequest
| src/express.js:28:3:28:5 | req |
| src/express.js:29:3:29:5 | req |
| src/express.js:30:3:30:5 | req |
| src/express.js:37:22:37:24 | req |
| src/express.js:42:13:42:15 | req |
| src/express.js:46:31:46:33 | req |
| src/express.js:47:3:47:5 | req |
| src/express.js:48:3:48:5 | req |
| src/express.js:49:3:49:5 | req |
| src/express.js:50:3:50:5 | req |
| src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:7:2:7:4 | req |
| src/params.js:4:19:4:21 | req |
| src/params.js:5:17:5:19 | req |
| src/params.js:6:17:6:19 | req |
| src/params.js:14:33:14:35 | req |
| src/passport.js:27:13:27:15 | req |
| src/passport.js:28:2:28:4 | req |
| src/responseExprs.js:4:32:4:34 | req |
| src/responseExprs.js:7:32:7:34 | req |
| src/responseExprs.js:10:39:10:41 | req |
| src/responseExprs.js:13:32:13:34 | req |
| src/responseExprs.js:16:39:16:41 | req |
| src/responseExprs.js:17:5:17:7 | req |
| src/route.js:5:21:5:23 | req |
test_RouteSetup_getRouter
| src/auth.js:4:1:4:53 | app.use ... d' }})) | src/auth.js:1:13:1:32 | require('express')() |
| src/csurf-example.js:13:1:13:20 | app.use('/api', api) | src/csurf-example.js:7:11:7:19 | express() |
@@ -341,43 +368,69 @@ test_RouteSetup_handlesSameRequestMethodAs
test_HeaderDefinition_defines
| src/express.js:7:3:7:42 | res.hea ... plain") | content-type | text/plain |
test_ResponseExpr
| src/csurf-example.js:20:33:20:35 | res | src/csurf-example.js:20:18:23:1 | functio ... () })\\n} |
| src/csurf-example.js:22:3:22:5 | res | src/csurf-example.js:20:18:23:1 | functio ... () })\\n} |
| src/csurf-example.js:25:37:25:39 | res | src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} |
| src/csurf-example.js:26:3:26:5 | res | src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} |
| src/csurf-example.js:26:3:26:43 | res.sen ... here') | src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} |
| src/csurf-example.js:32:45:32:47 | res | src/csurf-example.js:32:30:34:3 | functio ... e')\\n } |
| src/csurf-example.js:33:5:33:7 | res | src/csurf-example.js:32:30:34:3 | functio ... e')\\n } |
| src/csurf-example.js:33:5:33:35 | res.sen ... here') | src/csurf-example.js:32:30:34:3 | functio ... e')\\n } |
| src/csurf-example.js:39:41:39:43 | res | src/csurf-example.js:39:26:39:47 | functio ... res) {} |
| src/csurf-example.js:40:42:40:44 | res | src/csurf-example.js:40:27:40:48 | functio ... res) {} |
| src/exportedHandler.js:1:49:1:51 | res | src/exportedHandler.js:1:19:1:55 | functio ... res) {} |
| src/express2.js:3:39:3:41 | res | src/express2.js:3:25:3:55 | functio ... , res } |
| src/express2.js:3:46:3:53 | req, res | src/express2.js:3:25:3:55 | functio ... , res } |
| src/express2.js:3:51:3:53 | res | src/express2.js:3:25:3:55 | functio ... , res } |
| src/express2.js:4:50:4:55 | result | src/express2.js:4:32:4:76 | functio ... esult } |
| src/express2.js:4:60:4:74 | request, result | src/express2.js:4:32:4:76 | functio ... esult } |
| src/express2.js:4:69:4:74 | result | src/express2.js:4:32:4:76 | functio ... esult } |
| src/express3.js:4:37:4:39 | res | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:5:3:5:5 | res | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:5:3:5:51 | res.hea ... "val")) | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:6:3:6:5 | res | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:6:3:6:17 | res.send("val") | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:10:27:10:29 | res | src/express3.js:10:12:10:32 | functio ... res){} |
| src/express4.js:4:37:4:39 | res | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express4.js:8:3:8:5 | res | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express4.js:8:3:8:20 | res.send(dynamic1) | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express.js:4:37:4:39 | res | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:5:3:5:5 | res | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:6:3:6:5 | res | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:6:3:6:45 | res.hea ... rget")) | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:7:3:7:5 | res | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:7:3:7:42 | res.hea ... plain") | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:8:7:8:9 | res | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:11:14:11:16 | arg | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:12:3:12:5 | arg | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:12:3:12:54 | arg.hea ... , true) | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:16:33:16:35 | res | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:17:5:17:7 | res | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:17:5:17:24 | res.send("Go away.") | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:22:44:22:46 | res | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:31:3:31:5 | res | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:31:3:31:26 | res.coo ... 'bar') | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:37:27:37:29 | res | src/express.js:37:12:37:32 | functio ... res){} |
| src/express.js:42:18:42:20 | res | src/express.js:42:12:42:28 | (req, res) => f() |
| src/express.js:46:36:46:38 | res | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/inheritedFromNode.js:4:29:4:31 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:5:2:5:4 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:6:2:6:4 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/params.js:4:24:4:26 | res | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:8:9:8:11 | res | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:8:9:8:23 | res.send(value) | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:14:38:14:40 | res | src/params.js:14:24:16:1 | functio ... lo");\\n} |
| src/params.js:15:3:15:5 | res | src/params.js:14:24:16:1 | functio ... lo");\\n} |
| src/params.js:15:3:15:19 | res.send("Hello") | src/params.js:14:24:16:1 | functio ... lo");\\n} |
| src/responseExprs.js:4:37:4:40 | res1 | src/responseExprs.js:4:23:6:1 | functio ... res1\\n} |
| src/responseExprs.js:5:5:5:8 | res1 | src/responseExprs.js:4:23:6:1 | functio ... res1\\n} |
| src/responseExprs.js:7:37:7:40 | res2 | src/responseExprs.js:7:23:9:1 | functio ... res2;\\n} |
| src/responseExprs.js:8:5:8:8 | res2 | src/responseExprs.js:7:23:9:1 | functio ... res2;\\n} |
| src/responseExprs.js:10:44:10:47 | res3 | src/responseExprs.js:10:23:12:1 | functio ... res3;\\n} |
| src/responseExprs.js:11:5:11:8 | res3 | src/responseExprs.js:10:23:12:1 | functio ... res3;\\n} |
| src/responseExprs.js:13:37:13:40 | res4 | src/responseExprs.js:13:23:15:1 | functio ... res4;\\n} |
| src/responseExprs.js:14:5:14:8 | res4 | src/responseExprs.js:13:23:15:1 | functio ... res4;\\n} |
| src/responseExprs.js:16:44:16:46 | res | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:19:5:19:7 | res | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:19:5:19:16 | res.append() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:20:5:20:7 | res | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
@@ -415,8 +468,10 @@ test_ResponseExpr
| src/responseExprs.js:37:5:37:28 | f(res.a ... ppend() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:37:7:37:9 | res | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:37:7:37:18 | res.append() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:39:16:39:21 | resArg | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:40:16:40:21 | resArg | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:40:16:40:30 | resArg.append() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/route.js:5:26:5:28 | res | src/route.js:5:12:5:38 | functio ... ext) {} |
test_RouterDefinition_getARouteHandler
| src/csurf-example.js:7:11:7:19 | express() | src/csurf-example.js:20:18:23:1 | functio ... () })\\n} |
| src/csurf-example.js:7:11:7:19 | express() | src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} |
@@ -664,43 +719,69 @@ test_RouteExpr
| src/subrouter.js:9:3:9:35 | router. ... ndler1) | src/subrouter.js:8:16:8:31 | express.Router() |
| src/subrouter.js:10:3:10:41 | router. ... ndler2) | src/subrouter.js:8:16:8:31 | express.Router() |
test_RouteHandler_getAResponseExpr
| src/csurf-example.js:20:18:23:1 | functio ... () })\\n} | src/csurf-example.js:20:33:20:35 | res |
| src/csurf-example.js:20:18:23:1 | functio ... () })\\n} | src/csurf-example.js:22:3:22:5 | res |
| src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} | src/csurf-example.js:25:37:25:39 | res |
| src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} | src/csurf-example.js:26:3:26:5 | res |
| src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} | src/csurf-example.js:26:3:26:43 | res.sen ... here') |
| src/csurf-example.js:32:30:34:3 | functio ... e')\\n } | src/csurf-example.js:32:45:32:47 | res |
| src/csurf-example.js:32:30:34:3 | functio ... e')\\n } | src/csurf-example.js:33:5:33:7 | res |
| src/csurf-example.js:32:30:34:3 | functio ... e')\\n } | src/csurf-example.js:33:5:33:35 | res.sen ... here') |
| src/csurf-example.js:39:26:39:47 | functio ... res) {} | src/csurf-example.js:39:41:39:43 | res |
| src/csurf-example.js:40:27:40:48 | functio ... res) {} | src/csurf-example.js:40:42:40:44 | res |
| src/exportedHandler.js:1:19:1:55 | functio ... res) {} | src/exportedHandler.js:1:49:1:51 | res |
| src/express2.js:3:25:3:55 | functio ... , res } | src/express2.js:3:39:3:41 | res |
| src/express2.js:3:25:3:55 | functio ... , res } | src/express2.js:3:46:3:53 | req, res |
| src/express2.js:3:25:3:55 | functio ... , res } | src/express2.js:3:51:3:53 | res |
| src/express2.js:4:32:4:76 | functio ... esult } | src/express2.js:4:50:4:55 | result |
| src/express2.js:4:32:4:76 | functio ... esult } | src/express2.js:4:60:4:74 | request, result |
| src/express2.js:4:32:4:76 | functio ... esult } | src/express2.js:4:69:4:74 | result |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:4:37:4:39 | res |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:5:3:5:5 | res |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:5:3:5:51 | res.hea ... "val")) |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:6:3:6:5 | res |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:6:3:6:17 | res.send("val") |
| src/express3.js:10:12:10:32 | functio ... res){} | src/express3.js:10:27:10:29 | res |
| src/express4.js:4:23:9:1 | functio ... ic1);\\n} | src/express4.js:4:37:4:39 | res |
| src/express4.js:4:23:9:1 | functio ... ic1);\\n} | src/express4.js:8:3:8:5 | res |
| src/express4.js:4:23:9:1 | functio ... ic1);\\n} | src/express4.js:8:3:8:20 | res.send(dynamic1) |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:4:37:4:39 | res |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:5:3:5:5 | res |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:6:3:6:5 | res |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:6:3:6:45 | res.hea ... rget")) |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:7:3:7:5 | res |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:7:3:7:42 | res.hea ... plain") |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:8:7:8:9 | res |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:11:14:11:16 | arg |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:12:3:12:5 | arg |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:16:33:16:35 | res |
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:17:5:17:7 | res |
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:17:5:17:24 | res.send("Go away.") |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:22:44:22:46 | res |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:31:3:31:5 | res |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:31:3:31:26 | res.coo ... 'bar') |
| src/express.js:37:12:37:32 | functio ... res){} | src/express.js:37:27:37:29 | res |
| src/express.js:42:12:42:28 | (req, res) => f() | src/express.js:42:18:42:20 | res |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:36:46:38 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:5:2:5:4 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:6:2:6:4 | res |
| src/params.js:4:18:12:1 | (req, r ... }\\n} | src/params.js:4:24:4:26 | res |
| src/params.js:4:18:12:1 | (req, r ... }\\n} | src/params.js:8:9:8:11 | res |
| src/params.js:4:18:12:1 | (req, r ... }\\n} | src/params.js:8:9:8:23 | res.send(value) |
| src/params.js:14:24:16:1 | functio ... lo");\\n} | src/params.js:14:38:14:40 | res |
| src/params.js:14:24:16:1 | functio ... lo");\\n} | src/params.js:15:3:15:5 | res |
| src/params.js:14:24:16:1 | functio ... lo");\\n} | src/params.js:15:3:15:19 | res.send("Hello") |
| src/responseExprs.js:4:23:6:1 | functio ... res1\\n} | src/responseExprs.js:4:37:4:40 | res1 |
| src/responseExprs.js:4:23:6:1 | functio ... res1\\n} | src/responseExprs.js:5:5:5:8 | res1 |
| src/responseExprs.js:7:23:9:1 | functio ... res2;\\n} | src/responseExprs.js:7:37:7:40 | res2 |
| src/responseExprs.js:7:23:9:1 | functio ... res2;\\n} | src/responseExprs.js:8:5:8:8 | res2 |
| src/responseExprs.js:10:23:12:1 | functio ... res3;\\n} | src/responseExprs.js:10:44:10:47 | res3 |
| src/responseExprs.js:10:23:12:1 | functio ... res3;\\n} | src/responseExprs.js:11:5:11:8 | res3 |
| src/responseExprs.js:13:23:15:1 | functio ... res4;\\n} | src/responseExprs.js:13:37:13:40 | res4 |
| src/responseExprs.js:13:23:15:1 | functio ... res4;\\n} | src/responseExprs.js:14:5:14:8 | res4 |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:16:44:16:46 | res |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:19:5:19:7 | res |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:19:5:19:16 | res.append() |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:20:5:20:7 | res |
@@ -738,46 +819,74 @@ test_RouteHandler_getAResponseExpr
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:37:5:37:28 | f(res.a ... ppend() |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:37:7:37:9 | res |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:37:7:37:18 | res.append() |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:39:16:39:21 | resArg |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:40:16:40:21 | resArg |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:40:16:40:30 | resArg.append() |
| src/route.js:5:12:5:38 | functio ... ext) {} | src/route.js:5:26:5:28 | res |
test_isResponse
| src/csurf-example.js:20:33:20:35 | res |
| src/csurf-example.js:22:3:22:5 | res |
| src/csurf-example.js:25:37:25:39 | res |
| src/csurf-example.js:26:3:26:5 | res |
| src/csurf-example.js:26:3:26:43 | res.sen ... here') |
| src/csurf-example.js:32:45:32:47 | res |
| src/csurf-example.js:33:5:33:7 | res |
| src/csurf-example.js:33:5:33:35 | res.sen ... here') |
| src/csurf-example.js:39:41:39:43 | res |
| src/csurf-example.js:40:42:40:44 | res |
| src/exportedHandler.js:1:49:1:51 | res |
| src/express2.js:3:39:3:41 | res |
| src/express2.js:3:46:3:53 | req, res |
| src/express2.js:3:51:3:53 | res |
| src/express2.js:4:50:4:55 | result |
| src/express2.js:4:60:4:74 | request, result |
| src/express2.js:4:69:4:74 | result |
| src/express3.js:4:37:4:39 | res |
| src/express3.js:5:3:5:5 | res |
| src/express3.js:5:3:5:51 | res.hea ... "val")) |
| src/express3.js:6:3:6:5 | res |
| src/express3.js:6:3:6:17 | res.send("val") |
| src/express3.js:10:27:10:29 | res |
| src/express4.js:4:37:4:39 | res |
| src/express4.js:8:3:8:5 | res |
| src/express4.js:8:3:8:20 | res.send(dynamic1) |
| src/express.js:4:37:4:39 | res |
| src/express.js:5:3:5:5 | res |
| src/express.js:6:3:6:5 | res |
| src/express.js:6:3:6:45 | res.hea ... rget")) |
| src/express.js:7:3:7:5 | res |
| src/express.js:7:3:7:42 | res.hea ... plain") |
| src/express.js:8:7:8:9 | res |
| src/express.js:11:14:11:16 | arg |
| src/express.js:12:3:12:5 | arg |
| src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:16:33:16:35 | res |
| src/express.js:17:5:17:7 | res |
| src/express.js:17:5:17:24 | res.send("Go away.") |
| src/express.js:22:44:22:46 | res |
| src/express.js:31:3:31:5 | res |
| src/express.js:31:3:31:26 | res.coo ... 'bar') |
| src/express.js:37:27:37:29 | res |
| src/express.js:42:18:42:20 | res |
| src/express.js:46:36:46:38 | res |
| src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:5:2:5:4 | res |
| src/inheritedFromNode.js:6:2:6:4 | res |
| src/params.js:4:24:4:26 | res |
| src/params.js:8:9:8:11 | res |
| src/params.js:8:9:8:23 | res.send(value) |
| src/params.js:14:38:14:40 | res |
| src/params.js:15:3:15:5 | res |
| src/params.js:15:3:15:19 | res.send("Hello") |
| src/responseExprs.js:4:37:4:40 | res1 |
| src/responseExprs.js:5:5:5:8 | res1 |
| src/responseExprs.js:7:37:7:40 | res2 |
| src/responseExprs.js:8:5:8:8 | res2 |
| src/responseExprs.js:10:44:10:47 | res3 |
| src/responseExprs.js:11:5:11:8 | res3 |
| src/responseExprs.js:13:37:13:40 | res4 |
| src/responseExprs.js:14:5:14:8 | res4 |
| src/responseExprs.js:16:44:16:46 | res |
| src/responseExprs.js:19:5:19:7 | res |
| src/responseExprs.js:19:5:19:16 | res.append() |
| src/responseExprs.js:20:5:20:7 | res |
@@ -815,8 +924,10 @@ test_isResponse
| src/responseExprs.js:37:5:37:28 | f(res.a ... ppend() |
| src/responseExprs.js:37:7:37:9 | res |
| src/responseExprs.js:37:7:37:18 | res.append() |
| src/responseExprs.js:39:16:39:21 | resArg |
| src/responseExprs.js:40:16:40:21 | resArg |
| src/responseExprs.js:40:16:40:30 | resArg.append() |
| src/route.js:5:26:5:28 | res |
test_ResponseBody
| src/csurf-example.js:22:35:22:49 | req.csrfToken() | src/csurf-example.js:20:18:23:1 | functio ... () })\\n} |
| src/csurf-example.js:26:12:26:42 | 'csrf w ... t here' | src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} |
@@ -1073,16 +1184,30 @@ test_RouteHandlerExpr_getPreviousMiddleware
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:44:9:44:25 | getArrowHandler() |
| src/subrouter.js:5:14:5:28 | makeSubRouter() | src/subrouter.js:4:19:4:25 | protect |
test_RequestExpr
| src/csurf-example.js:20:28:20:30 | req | src/csurf-example.js:20:18:23:1 | functio ... () })\\n} |
| src/csurf-example.js:22:35:22:37 | req | src/csurf-example.js:20:18:23:1 | functio ... () })\\n} |
| src/csurf-example.js:25:32:25:34 | req | src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} |
| src/csurf-example.js:32:40:32:42 | req | src/csurf-example.js:32:30:34:3 | functio ... e')\\n } |
| src/csurf-example.js:39:36:39:38 | req | src/csurf-example.js:39:26:39:47 | functio ... res) {} |
| src/csurf-example.js:40:37:40:39 | req | src/csurf-example.js:40:27:40:48 | functio ... res) {} |
| src/exportedHandler.js:1:44:1:46 | req | src/exportedHandler.js:1:19:1:55 | functio ... res) {} |
| src/express2.js:3:34:3:36 | req | src/express2.js:3:25:3:55 | functio ... , res } |
| src/express2.js:3:46:3:48 | req | src/express2.js:3:25:3:55 | functio ... , res } |
| src/express2.js:4:41:4:47 | request | src/express2.js:4:32:4:76 | functio ... esult } |
| src/express2.js:4:60:4:66 | request | src/express2.js:4:32:4:76 | functio ... esult } |
| src/express3.js:4:32:4:34 | req | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:5:14:5:16 | req | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:5:35:5:37 | req | src/express3.js:4:23:7:1 | functio ... al");\\n} |
| src/express3.js:10:22:10:24 | req | src/express3.js:10:12:10:32 | functio ... res){} |
| src/express4.js:4:32:4:34 | req | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express4.js:5:27:5:29 | req | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express4.js:6:18:6:20 | req | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express4.js:7:18:7:20 | req | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
| src/express.js:4:32:4:34 | req | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:5:16:5:18 | req | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:6:26:6:28 | req | src/express.js:4:23:9:1 | functio ... res);\\n} |
| src/express.js:16:28:16:30 | req | src/express.js:16:19:18:3 | functio ... ");\\n } |
| src/express.js:22:39:22:41 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:23:3:23:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:24:3:24:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:25:3:25:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
@@ -1091,16 +1216,30 @@ test_RequestExpr
| src/express.js:28:3:28:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:29:3:29:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:30:3:30:5 | req | src/express.js:22:30:32:1 | functio ... ar');\\n} |
| src/express.js:37:22:37:24 | req | src/express.js:37:12:37:32 | functio ... res){} |
| src/express.js:42:13:42:15 | req | src/express.js:42:12:42:28 | (req, res) => f() |
| src/express.js:46:31:46:33 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:47:3:47:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:48:3:48:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:49:3:49:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/express.js:50:3:50:5 | req | src/express.js:46:22:51:1 | functio ... ame];\\n} |
| src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:7:2:7:4 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/params.js:4:19:4:21 | req | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:5:17:5:19 | req | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:6:17:6:19 | req | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:14:33:14:35 | req | src/params.js:14:24:16:1 | functio ... lo");\\n} |
| src/passport.js:27:13:27:15 | req | src/passport.js:27:4:29:1 | functio ... ccss`\\n} |
| src/passport.js:28:2:28:4 | req | src/passport.js:27:4:29:1 | functio ... ccss`\\n} |
| src/responseExprs.js:4:32:4:34 | req | src/responseExprs.js:4:23:6:1 | functio ... res1\\n} |
| src/responseExprs.js:7:32:7:34 | req | src/responseExprs.js:7:23:9:1 | functio ... res2;\\n} |
| src/responseExprs.js:10:39:10:41 | req | src/responseExprs.js:10:23:12:1 | functio ... res3;\\n} |
| src/responseExprs.js:13:32:13:34 | req | src/responseExprs.js:13:23:15:1 | functio ... res4;\\n} |
| src/responseExprs.js:16:39:16:41 | req | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:17:5:17:7 | req | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/route.js:5:21:5:23 | req | src/route.js:5:12:5:38 | functio ... ext) {} |
test_RequestExprStandalone
| typed_src/tst.ts:5:15:5:15 | x |
| typed_src/tst.ts:6:3:6:3 | x |
test_RouteHandlerExpr_getAsSubRouter
| src/csurf-example.js:13:17:13:19 | api | src/csurf-example.js:30:16:30:35 | new express.Router() |
@@ -1110,16 +1249,30 @@ test_Credentials
| src/auth.js:4:30:4:36 | 'admin' | user name |
| src/auth.js:4:39:4:48 | 'passw0rd' | password |
test_RouteHandler_getARequestExpr
| src/csurf-example.js:20:18:23:1 | functio ... () })\\n} | src/csurf-example.js:20:28:20:30 | req |
| src/csurf-example.js:20:18:23:1 | functio ... () })\\n} | src/csurf-example.js:22:35:22:37 | req |
| src/csurf-example.js:25:22:27:1 | functio ... ere')\\n} | src/csurf-example.js:25:32:25:34 | req |
| src/csurf-example.js:32:30:34:3 | functio ... e')\\n } | src/csurf-example.js:32:40:32:42 | req |
| src/csurf-example.js:39:26:39:47 | functio ... res) {} | src/csurf-example.js:39:36:39:38 | req |
| src/csurf-example.js:40:27:40:48 | functio ... res) {} | src/csurf-example.js:40:37:40:39 | req |
| src/exportedHandler.js:1:19:1:55 | functio ... res) {} | src/exportedHandler.js:1:44:1:46 | req |
| src/express2.js:3:25:3:55 | functio ... , res } | src/express2.js:3:34:3:36 | req |
| src/express2.js:3:25:3:55 | functio ... , res } | src/express2.js:3:46:3:48 | req |
| src/express2.js:4:32:4:76 | functio ... esult } | src/express2.js:4:41:4:47 | request |
| src/express2.js:4:32:4:76 | functio ... esult } | src/express2.js:4:60:4:66 | request |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:4:32:4:34 | req |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:5:14:5:16 | req |
| src/express3.js:4:23:7:1 | functio ... al");\\n} | src/express3.js:5:35:5:37 | req |
| src/express3.js:10:12:10:32 | functio ... res){} | src/express3.js:10:22:10:24 | req |
| src/express4.js:4:23:9:1 | functio ... ic1);\\n} | src/express4.js:4:32:4:34 | req |
| src/express4.js:4:23:9:1 | functio ... ic1);\\n} | src/express4.js:5:27:5:29 | req |
| src/express4.js:4:23:9:1 | functio ... ic1);\\n} | src/express4.js:6:18:6:20 | req |
| src/express4.js:4:23:9:1 | functio ... ic1);\\n} | src/express4.js:7:18:7:20 | req |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:4:32:4:34 | req |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:5:16:5:18 | req |
| src/express.js:4:23:9:1 | functio ... res);\\n} | src/express.js:6:26:6:28 | req |
| src/express.js:16:19:18:3 | functio ... ");\\n } | src/express.js:16:28:16:30 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:22:39:22:41 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:23:3:23:5 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:24:3:24:5 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:25:3:25:5 | req |
@@ -1128,12 +1281,25 @@ test_RouteHandler_getARequestExpr
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:28:3:28:5 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:29:3:29:5 | req |
| src/express.js:22:30:32:1 | functio ... ar');\\n} | src/express.js:30:3:30:5 | req |
| src/express.js:37:12:37:32 | functio ... res){} | src/express.js:37:22:37:24 | req |
| src/express.js:42:12:42:28 | (req, res) => f() | src/express.js:42:13:42:15 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:46:31:46:33 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:47:3:47:5 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:48:3:48:5 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:49:3:49:5 | req |
| src/express.js:46:22:51:1 | functio ... ame];\\n} | src/express.js:50:3:50:5 | req |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:7:2:7:4 | req |
| src/params.js:4:18:12:1 | (req, r ... }\\n} | src/params.js:4:19:4:21 | req |
| src/params.js:4:18:12:1 | (req, r ... }\\n} | src/params.js:5:17:5:19 | req |
| src/params.js:4:18:12:1 | (req, r ... }\\n} | src/params.js:6:17:6:19 | req |
| src/params.js:14:24:16:1 | functio ... lo");\\n} | src/params.js:14:33:14:35 | req |
| src/passport.js:27:4:29:1 | functio ... ccss`\\n} | src/passport.js:27:13:27:15 | req |
| src/passport.js:27:4:29:1 | functio ... ccss`\\n} | src/passport.js:28:2:28:4 | req |
| src/responseExprs.js:4:23:6:1 | functio ... res1\\n} | src/responseExprs.js:4:32:4:34 | req |
| src/responseExprs.js:7:23:9:1 | functio ... res2;\\n} | src/responseExprs.js:7:32:7:34 | req |
| src/responseExprs.js:10:23:12:1 | functio ... res3;\\n} | src/responseExprs.js:10:39:10:41 | req |
| src/responseExprs.js:13:23:15:1 | functio ... res4;\\n} | src/responseExprs.js:13:32:13:34 | req |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:16:39:16:41 | req |
| src/responseExprs.js:16:30:42:1 | functio ... }\\n} | src/responseExprs.js:17:5:17:7 | req |
| src/route.js:5:12:5:38 | functio ... ext) {} | src/route.js:5:21:5:23 | req |

44
javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected
View File

@@ -33,13 +33,24 @@ test_SystemCommandExecution
| exec.js:6:1:6:28 | cp.spaw ... "], cb) | exec.js:6:10:6:15 | "echo" |
| exec.js:7:1:7:37 | cp.spaw ... here"]) | exec.js:7:14:7:19 | "echo" |
test_ResponseExpr
| createServer.js:2:35:2:37 | res | createServer.js:2:20:2:41 | functio ... res) {} |
| createServer.js:3:38:3:40 | res | createServer.js:3:23:3:44 | functio ... res) {} |
| createServer.js:4:37:4:39 | res | createServer.js:4:31:4:46 | (req, res) => {} |
| src/http.js:4:46:4:48 | res | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
| src/http.js:7:3:7:5 | res | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
| src/http.js:12:33:12:35 | res | src/http.js:12:19:16:1 | functio ... ar");\\n} |
| src/http.js:13:3:13:5 | res | src/http.js:12:19:16:1 | functio ... ar");\\n} |
| src/http.js:14:3:14:5 | res | src/http.js:12:19:16:1 | functio ... ar");\\n} |
| src/http.js:15:3:15:5 | res | src/http.js:12:19:16:1 | functio ... ar");\\n} |
| src/http.js:55:25:55:27 | res | src/http.js:55:12:55:30 | function(req,res){} |
| src/http.js:60:27:60:29 | res | src/http.js:60:14:60:32 | function(req,res){} |
| src/http.js:62:33:62:35 | res | src/http.js:62:19:65:1 | functio ... r2");\\n} |
| src/http.js:63:3:63:5 | res | src/http.js:62:19:65:1 | functio ... r2");\\n} |
| src/http.js:64:3:64:5 | res | src/http.js:62:19:65:1 | functio ... r2");\\n} |
| src/http.js:68:17:68:19 | res | src/http.js:68:12:68:27 | (req,res) => f() |
| src/https.js:4:47:4:49 | res | src/https.js:4:33:10:1 | functio ... .foo;\\n} |
| src/https.js:7:3:7:5 | res | src/https.js:4:33:10:1 | functio ... .foo;\\n} |
| src/https.js:12:34:12:36 | res | src/https.js:12:20:16:1 | functio ... ar");\\n} |
| src/https.js:13:3:13:5 | res | src/https.js:12:20:16:1 | functio ... ar");\\n} |
| src/https.js:14:3:14:5 | res | src/https.js:12:20:16:1 | functio ... ar");\\n} |
| src/https.js:15:3:15:5 | res | src/https.js:12:20:16:1 | functio ... ar");\\n} |
@@ -93,13 +104,24 @@ test_HeaderDefinition_getNameExpr
| src/https.js:7:3:7:42 | res.wri ... rget }) | src/https.js:7:17:7:19 | 302 |
| src/https.js:13:3:13:44 | res.set ... /html') | src/https.js:13:17:13:30 | 'Content-Type' |
test_RouteHandler_getAResponseExpr
| createServer.js:2:20:2:41 | functio ... res) {} | createServer.js:2:35:2:37 | res |
| createServer.js:3:23:3:44 | functio ... res) {} | createServer.js:3:38:3:40 | res |
| createServer.js:4:31:4:46 | (req, res) => {} | createServer.js:4:37:4:39 | res |
| src/http.js:4:32:10:1 | functio ... .foo;\\n} | src/http.js:4:46:4:48 | res |
| src/http.js:4:32:10:1 | functio ... .foo;\\n} | src/http.js:7:3:7:5 | res |
| src/http.js:12:19:16:1 | functio ... ar");\\n} | src/http.js:12:33:12:35 | res |
| src/http.js:12:19:16:1 | functio ... ar");\\n} | src/http.js:13:3:13:5 | res |
| src/http.js:12:19:16:1 | functio ... ar");\\n} | src/http.js:14:3:14:5 | res |
| src/http.js:12:19:16:1 | functio ... ar");\\n} | src/http.js:15:3:15:5 | res |
| src/http.js:55:12:55:30 | function(req,res){} | src/http.js:55:25:55:27 | res |
| src/http.js:60:14:60:32 | function(req,res){} | src/http.js:60:27:60:29 | res |
| src/http.js:62:19:65:1 | functio ... r2");\\n} | src/http.js:62:33:62:35 | res |
| src/http.js:62:19:65:1 | functio ... r2");\\n} | src/http.js:63:3:63:5 | res |
| src/http.js:62:19:65:1 | functio ... r2");\\n} | src/http.js:64:3:64:5 | res |
| src/http.js:68:12:68:27 | (req,res) => f() | src/http.js:68:17:68:19 | res |
| src/https.js:4:33:10:1 | functio ... .foo;\\n} | src/https.js:4:47:4:49 | res |
| src/https.js:4:33:10:1 | functio ... .foo;\\n} | src/https.js:7:3:7:5 | res |
| src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:12:34:12:36 | res |
| src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:13:3:13:5 | res |
| src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:14:3:14:5 | res |
| src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:15:3:15:5 | res |
@@ -162,13 +184,24 @@ test_RouteHandler
| src/https.js:4:33:10:1 | functio ... .foo;\\n} | src/https.js:4:14:10:2 | https.c ... foo;\\n}) |
| src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:12:1:16:2 | https.c ... r");\\n}) |
test_RequestExpr
| createServer.js:2:30:2:32 | req | createServer.js:2:20:2:41 | functio ... res) {} |
| createServer.js:3:33:3:35 | req | createServer.js:3:23:3:44 | functio ... res) {} |
| createServer.js:4:32:4:34 | req | createServer.js:4:31:4:46 | (req, res) => {} |
| src/http.js:4:41:4:43 | req | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
| src/http.js:6:26:6:28 | req | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
| src/http.js:8:3:8:5 | req | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
| src/http.js:9:3:9:5 | req | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
| src/http.js:12:28:12:30 | req | src/http.js:12:19:16:1 | functio ... ar");\\n} |
| src/http.js:55:21:55:23 | req | src/http.js:55:12:55:30 | function(req,res){} |
| src/http.js:60:23:60:25 | req | src/http.js:60:14:60:32 | function(req,res){} |
| src/http.js:62:28:62:30 | req | src/http.js:62:19:65:1 | functio ... r2");\\n} |
| src/http.js:63:17:63:19 | req | src/http.js:62:19:65:1 | functio ... r2");\\n} |
| src/http.js:68:13:68:15 | req | src/http.js:68:12:68:27 | (req,res) => f() |
| src/https.js:4:42:4:44 | req | src/https.js:4:33:10:1 | functio ... .foo;\\n} |
| src/https.js:6:26:6:28 | req | src/https.js:4:33:10:1 | functio ... .foo;\\n} |
| src/https.js:8:3:8:5 | req | src/https.js:4:33:10:1 | functio ... .foo;\\n} |
| src/https.js:9:3:9:5 | req | src/https.js:4:33:10:1 | functio ... .foo;\\n} |
| src/https.js:12:29:12:31 | req | src/https.js:12:20:16:1 | functio ... ar");\\n} |
test_SystemCommandExecution_getAnArgumentForCommand
| exec.js:3:1:3:38 | cp.exec ... "], cb) | exec.js:3:21:3:33 | ["--version"] |
| exec.js:4:1:4:47 | cp.exec ... sion"]) | exec.js:4:23:4:46 | ["-c", ... rsion"] |
@@ -179,10 +212,21 @@ test_Credentials
| src/http.js:18:22:18:27 | "auth" | credentials |
| src/https.js:18:23:18:28 | "auth" | credentials |
test_RouteHandler_getARequestExpr
| createServer.js:2:20:2:41 | functio ... res) {} | createServer.js:2:30:2:32 | req |
| createServer.js:3:23:3:44 | functio ... res) {} | createServer.js:3:33:3:35 | req |
| createServer.js:4:31:4:46 | (req, res) => {} | createServer.js:4:32:4:34 | req |
| src/http.js:4:32:10:1 | functio ... .foo;\\n} | src/http.js:4:41:4:43 | req |
| src/http.js:4:32:10:1 | functio ... .foo;\\n} | src/http.js:6:26:6:28 | req |
| src/http.js:4:32:10:1 | functio ... .foo;\\n} | src/http.js:8:3:8:5 | req |
| src/http.js:4:32:10:1 | functio ... .foo;\\n} | src/http.js:9:3:9:5 | req |
| src/http.js:12:19:16:1 | functio ... ar");\\n} | src/http.js:12:28:12:30 | req |
| src/http.js:55:12:55:30 | function(req,res){} | src/http.js:55:21:55:23 | req |
| src/http.js:60:14:60:32 | function(req,res){} | src/http.js:60:23:60:25 | req |
| src/http.js:62:19:65:1 | functio ... r2");\\n} | src/http.js:62:28:62:30 | req |
| src/http.js:62:19:65:1 | functio ... r2");\\n} | src/http.js:63:17:63:19 | req |
| src/http.js:68:12:68:27 | (req,res) => f() | src/http.js:68:13:68:15 | req |
| src/https.js:4:33:10:1 | functio ... .foo;\\n} | src/https.js:4:42:4:44 | req |
| src/https.js:4:33:10:1 | functio ... .foo;\\n} | src/https.js:6:26:6:28 | req |
| src/https.js:4:33:10:1 | functio ... .foo;\\n} | src/https.js:8:3:8:5 | req |
| src/https.js:4:33:10:1 | functio ... .foo;\\n} | src/https.js:9:3:9:5 | req |
| src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:12:29:12:31 | req |

6
javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
View File

@@ -2,6 +2,7 @@
| mssql1.js:7:75:7:79 | value |
| mssql2.js:5:15:5:34 | 'select 1 as number' |
| mssql2.js:13:15:13:66 | 'create ... table' |
| mssql2.js:22:24:22:43 | 'select 1 as number' |
| mysql1.js:13:18:13:43 | 'SELECT ... lution' |
| mysql1.js:18:18:22:1 | {\\n s ... vid']\\n} |
| mysql2.js:12:12:12:37 | 'SELECT ... lution' |
@@ -9,12 +10,15 @@
| mysql2tst.js:23:3:23:56 | 'SELECT ... e` > ?' |
| mysql3.js:14:20:14:52 | 'SELECT ... etable' |
| mysql4.js:14:18:14:20 | sql |
| mysqlImport.js:3:18:5:1 | {\\n s ... = ?',\\n} |
| postgres1.js:37:21:37:24 | text |
| postgres2.js:30:16:30:41 | 'SELECT ... number' |
| postgres3.js:15:16:15:40 | 'SELECT ... s name' |
| postgres5.js:8:21:8:25 | query |
| postgresImport.js:4:18:4:43 | 'SELECT ... number' |
| sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
| sequelize.js:8:17:8:118 | 'SELECT ... Y name' |
| sequelizeImport.js:3:17:3:118 | 'SELECT ... Y name' |
| spanner2.js:5:26:5:35 | "SQL code" |
| spanner2.js:7:35:7:44 | "SQL code" |
| spanner.js:6:8:6:17 | "SQL code" |
@@ -35,4 +39,6 @@
| spanner.js:18:16:18:25 | "SQL code" |
| spanner.js:19:16:19:34 | { sql: "SQL code" } |
| spanner.js:19:23:19:32 | "SQL code" |
| spannerImport.js:4:8:4:17 | "SQL code" |
| sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
| sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |

10
javascript/ql/test/library-tests/frameworks/SQL/mssql2.js
View File

@@ -13,3 +13,13 @@ request.query('select 1 as number', (err, result) => {
request.batch('create procedure #temporary as select * from table', (err, result) => {
// ... error checks
})
class C {
constructor(req) {
this.req = req;
}
send() {
this.req.query('select 1 as number', (err, result) => {})
}
}
new C(new sql.Request());

2
javascript/ql/test/library-tests/frameworks/SQL/mysql1.js
View File

@@ -26,3 +26,5 @@ connection.query({
});
connection.end();
exports.connection = connection;

6
javascript/ql/test/library-tests/frameworks/SQL/mysqlImport.js Normal file
View File

@@ -0,0 +1,6 @@
const { connection } = require("./mysql1");
connection.query({
sql: 'SELECT * FROM `books` WHERE `author` = ?',
}, function (error, results, fields) {
});

2
javascript/ql/test/library-tests/frameworks/SQL/postgres1.js
View File

@@ -36,3 +36,5 @@ module.exports.query = function (text, values, callback) {
console.log('query:', text, values);
return pool.query(text, values, callback);
};
module.exports.pool = pool;

6
javascript/ql/test/library-tests/frameworks/SQL/postgresImport.js Normal file
View File

@@ -0,0 +1,6 @@
const { pool } = require("./postgres1");
pool.connect((err, client, done) => {
client.query('SELECT $1::int AS number', ['1'], function(err, result) {
});
});

2
javascript/ql/test/library-tests/frameworks/SQL/sequelize.js
View File

@@ -7,3 +7,5 @@ const sequelize = new Sequelize('database', 'username', 'password', {
});
sequelize.query('SELECT * FROM Products WHERE (name LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name');
exports.sequelize = sequelize;

3
javascript/ql/test/library-tests/frameworks/SQL/sequelizeImport.js Normal file
View File

@@ -0,0 +1,3 @@
const { sequelize } = require("./sequelize");
sequelize.query('SELECT * FROM Products WHERE (name LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name');

4
javascript/ql/test/library-tests/frameworks/SQL/spanner.js
View File

@@ -17,4 +17,6 @@ db.runTransaction((err, tx) => {
tx.runStream({ sql: "SQL code" });
tx.runUpdate("SQL code");
tx.runUpdate({ sql: "SQL code" });
});
});
exports.instance = instance;

4
javascript/ql/test/library-tests/frameworks/SQL/spannerImport.js Normal file
View File

@@ -0,0 +1,4 @@
const { instance } = require('./spanner');
const db = instance.database('db');
db.run("SQL code", (err, rows) => {});

2
javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
View File

@@ -5,3 +5,5 @@ var sqlite = require('sqlite3');
var db = new sqlite.Database(":memory:");
db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2);
exports.db = db;

2
javascript/ql/test/library-tests/frameworks/SQL/sqliteImport.js Normal file
View File

@@ -0,0 +1,2 @@
const { db } = require('./sqlite');
db.run("UPDATE foo SET bar = ? WHERE id = ?", "bar", 2);

20
javascript/ql/test/library-tests/frameworks/connect/tests.expected
View File

@@ -14,7 +14,12 @@ test_HeaderDefinition_defines
| src/test.js:7:5:7:32 | res.set ... 1', '') | header1 | |
| src/test.js:25:5:25:32 | res.set ... 2', '') | header2 | |
test_ResponseExpr
| src/test.js:6:32:6:34 | res | src/test.js:6:9:9:1 | functio ... oo');\\n} |
| src/test.js:7:5:7:7 | res | src/test.js:6:9:9:1 | functio ... oo');\\n} |
| src/test.js:15:27:15:29 | res | src/test.js:15:12:15:32 | functio ... res){} |
| src/test.js:19:22:19:24 | res | src/test.js:19:9:19:27 | function(req,res){} |
| src/test.js:20:23:20:25 | res | src/test.js:20:10:20:28 | function(req,res){} |
| src/test.js:24:31:24:33 | res | src/test.js:24:9:26:1 | functio ... '');\\n} |
| src/test.js:25:5:25:7 | res | src/test.js:24:9:26:1 | functio ... '');\\n} |
test_HeaderDefinition
| src/test.js:7:5:7:32 | res.set ... 1', '') | src/test.js:6:9:9:1 | functio ... oo');\\n} |
@@ -32,7 +37,12 @@ test_HeaderDefinition_getAHeaderName
test_ServerDefinition
| src/test.js:4:11:4:19 | connect() |
test_RouteHandler_getAResponseExpr
| src/test.js:6:9:9:1 | functio ... oo');\\n} | src/test.js:6:32:6:34 | res |
| src/test.js:6:9:9:1 | functio ... oo');\\n} | src/test.js:7:5:7:7 | res |
| src/test.js:15:12:15:32 | functio ... res){} | src/test.js:15:27:15:29 | res |
| src/test.js:19:9:19:27 | function(req,res){} | src/test.js:19:22:19:24 | res |
| src/test.js:20:10:20:28 | function(req,res){} | src/test.js:20:23:20:25 | res |
| src/test.js:24:9:26:1 | functio ... '');\\n} | src/test.js:24:31:24:33 | res |
| src/test.js:24:9:26:1 | functio ... '');\\n} | src/test.js:25:5:25:7 | res |
test_RouteSetup_getARouteHandler
| src/test.js:6:1:9:2 | app.use ... o');\\n}) | src/test.js:6:9:9:1 | functio ... oo');\\n} |
@@ -49,9 +59,19 @@ test_RouteHandler
| src/test.js:20:10:20:28 | function(req,res){} | src/test.js:4:11:4:19 | connect() |
| src/test.js:24:9:26:1 | functio ... '');\\n} | src/test.js:4:11:4:19 | connect() |
test_RequestExpr
| src/test.js:6:27:6:29 | req | src/test.js:6:9:9:1 | functio ... oo');\\n} |
| src/test.js:8:5:8:7 | req | src/test.js:6:9:9:1 | functio ... oo');\\n} |
| src/test.js:15:22:15:24 | req | src/test.js:15:12:15:32 | functio ... res){} |
| src/test.js:19:18:19:20 | req | src/test.js:19:9:19:27 | function(req,res){} |
| src/test.js:20:19:20:21 | req | src/test.js:20:10:20:28 | function(req,res){} |
| src/test.js:24:26:24:28 | req | src/test.js:24:9:26:1 | functio ... '');\\n} |
test_Credentials
| src/test.js:12:19:12:28 | 'username' | user name |
| src/test.js:12:31:12:40 | 'password' | password |
test_RouteHandler_getARequestExpr
| src/test.js:6:9:9:1 | functio ... oo');\\n} | src/test.js:6:27:6:29 | req |
| src/test.js:6:9:9:1 | functio ... oo');\\n} | src/test.js:8:5:8:7 | req |
| src/test.js:15:12:15:32 | functio ... res){} | src/test.js:15:22:15:24 | req |
| src/test.js:19:9:19:27 | function(req,res){} | src/test.js:19:18:19:20 | req |
| src/test.js:20:10:20:28 | function(req,res){} | src/test.js:20:19:20:21 | req |
| src/test.js:24:9:26:1 | functio ... '');\\n} | src/test.js:24:26:24:28 | req |

5
javascript/ql/test/library-tests/frameworks/fastify/HeaderAccess.qll Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query predicate test_HeaderAccess(HTTP::RequestHeaderAccess access, string res) {
res = access.getAHeaderName()
}

5
javascript/ql/test/library-tests/frameworks/fastify/HeaderDefinition.qll Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query predicate test_HeaderDefinition(HTTP::HeaderDefinition hd, Fastify::RouteHandler rh) {
rh = hd.getRouteHandler()
}

5
javascript/ql/test/library-tests/frameworks/fastify/HeaderDefinition_defines.qll Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query predicate test_HeaderDefinition_defines(HTTP::HeaderDefinition hd, string name, string value) {
hd.defines(name, value) and hd.getRouteHandler() instanceof Fastify::RouteHandler
}

5
javascript/ql/test/library-tests/frameworks/fastify/HeaderDefinition_getAHeaderName.qll Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query predicate test_HeaderDefinition_getAHeaderName(HTTP::HeaderDefinition hd, string res) {
hd.getRouteHandler() instanceof Fastify::RouteHandler and res = hd.getAHeaderName()
}

5
javascript/ql/test/library-tests/frameworks/fastify/RedirectInvocation.qll Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query predicate test_RedirectInvocation(HTTP::RedirectInvocation invk, Fastify::RouteHandler rh) {
invk.getRouteHandler() = rh
}

11
javascript/ql/test/library-tests/frameworks/fastify/RequestInputAccess.qll Normal file
View File

@@ -0,0 +1,11 @@
import javascript
query predicate test_RequestInputAccess(
HTTP::RequestInputAccess ria, string res, Fastify::RouteHandler rh, boolean isUserControlledObject
) {
ria.getRouteHandler() = rh and
res = ria.getKind() and
if ria.isUserControlledObject()
then isUserControlledObject = true
else isUserControlledObject = false
}

5
javascript/ql/test/library-tests/frameworks/fastify/ResponseSendArgument.qll Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query predicate test_ResponseSendArgument(HTTP::ResponseSendArgument arg, Fastify::RouteHandler rh) {
arg.getRouteHandler() = rh
}

3
javascript/ql/test/library-tests/frameworks/fastify/RouteHandler.qll Normal file
View File

@@ -0,0 +1,3 @@
import javascript
query predicate test_RouteHandler(Fastify::RouteHandler rh, Expr res) { res = rh.getServer() }

5
javascript/ql/test/library-tests/frameworks/fastify/RouteHandler_getARequestExpr.qll Normal file
View File

@@ -0,0 +1,5 @@
import semmle.javascript.frameworks.Express
query predicate test_RouteHandler_getARequestExpr(Fastify::RouteHandler rh, HTTP::RequestExpr res) {
res = rh.getARequestExpr()
}

7
javascript/ql/test/library-tests/frameworks/fastify/RouteHandler_getAResponseHeader.qll Normal file
View File

@@ -0,0 +1,7 @@
import semmle.javascript.frameworks.Express
query predicate test_RouteHandler_getAResponseHeader(
Fastify::RouteHandler rh, string name, HTTP::HeaderDefinition res
) {
res = rh.getAResponseHeader(name)
}

3
javascript/ql/test/library-tests/frameworks/fastify/RouteSetup.qll Normal file
View File

@@ -0,0 +1,3 @@
import javascript
query predicate test_RouteSetup(Fastify::RouteSetup rs) { any() }

5
javascript/ql/test/library-tests/frameworks/fastify/RouteSetup_getARouteHandler.qll Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query predicate test_RouteSetup_getARouteHandler(Fastify::RouteSetup r, DataFlow::SourceNode res) {
res = r.getARouteHandler()
}

3
javascript/ql/test/library-tests/frameworks/fastify/RouteSetup_getServer.qll Normal file
View File

@@ -0,0 +1,3 @@
import javascript
query predicate test_RouteSetup_getServer(Fastify::RouteSetup rs, Expr res) { res = rs.getServer() }

3
javascript/ql/test/library-tests/frameworks/fastify/ServerDefinition.qll Normal file
View File

@@ -0,0 +1,3 @@
import javascript
query predicate test_ServerDefinition(Fastify::ServerDefinition s) { any() }

92
javascript/ql/test/library-tests/frameworks/fastify/src/fastify.js Normal file
View File

@@ -0,0 +1,92 @@
var fastify = require("fastify")();
fastify.get(
"/",
/* handler */ async (request, reply) => {
return { hello: "world" }; // response
}
);
fastify.route({
method: "GET",
url: "/",
onRequest: /* handler */ (request, reply, done) => {},
preParsing: /* handler */ (request, reply, done) => {},
preValidation: /* handler */ (request, reply, done) => {},
preHandler: /* handler */ (request, reply, done) => {},
preSerialization: /* handler */ (request, reply, payload, done) => {},
onSend: /* handler */ (request, reply, payload, done) => {},
onResponse: /* handler */ (request, reply, done) => {},
handler: /* handler */ (request, reply) => {}
});
fastify.get(
"/",
opts,
/* handler */ (request, reply) => {
reply.send({ hello: "world" }); // response
}
);
fastify.post(
"/:params",
options,
/* handler */ function(request, reply) {
// request properties
request.query.name; // the parsed querystring
request.body; // the body
request.params.name; // the params matching the URL
request.headers.name; // the headers
// reply properties
reply.header("name", "value"); // Sets a response header.
reply.headers({ name: "value" }); // Sets all the keys of the object as a response headers.
reply.redirect(code, url); // Redirect to the specified url, the status code is optional (default to 302).
reply.send(payload); // Sends the payload to the user, could be a plain text, a buffer, JSON, stream
}
);
fastify.listen(3000);
var fastifyWithObjects1 = require("fastify")();
fastifyWithObjects1.register(require("fastify-xml-body-parser"));
fastifyWithObjects1.post(
"/:params",
/* handler */ function(request, reply) {
request.query;
request.body;
request.params;
}
);
var fastifyWithObjects2 = require("fastify")();
fastifyWithObjects2.register(require("fastify-formbody"));
fastifyWithObjects2.post(
"/:params",
/* handler */ function(request, reply) {
request.query;
request.body;
request.params;
}
);
var fastifyWithObjects3 = require("fastify")();
fastifyWithObjects3.register(require("fastify-qs"));
fastifyWithObjects3.post(
"/:params",
/* handler */ function(request, reply) {
request.query;
request.body;
request.params;
}
);
var fastifyWithObjects4 = require("fastify")();
fastifyWithObjects4.use(require("body-parser").urlencoded({ extended: true }));
fastifyWithObjects4.post(
"/:params",
/* handler */ function(request, reply) {
request.query;
request.body;
request.params;
}
);

125
javascript/ql/test/library-tests/frameworks/fastify/tests.expected Normal file
View File

@@ -0,0 +1,125 @@
test_RouteSetup
| src/fastify.js:3:1:8:1 | fastify ... e\\n }\\n) |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) |
| src/fastify.js:23:1:29:1 | fastify ... e\\n }\\n) |
| src/fastify.js:31:1:47:1 | fastify ... m\\n }\\n) |
| src/fastify.js:52:1:59:1 | fastify ... ;\\n }\\n) |
| src/fastify.js:63:1:70:1 | fastify ... ;\\n }\\n) |
| src/fastify.js:74:1:81:1 | fastify ... ;\\n }\\n) |
| src/fastify.js:85:1:92:1 | fastify ... ;\\n }\\n) |
test_RequestInputAccess
| src/fastify.js:36:5:36:17 | request.query | parameter | src/fastify.js:34:17:46:3 | functio ... eam\\n } | false |
| src/fastify.js:37:5:37:16 | request.body | body | src/fastify.js:34:17:46:3 | functio ... eam\\n } | false |
| src/fastify.js:38:5:38:18 | request.params | parameter | src/fastify.js:34:17:46:3 | functio ... eam\\n } | false |
| src/fastify.js:39:5:39:24 | request.headers.name | header | src/fastify.js:34:17:46:3 | functio ... eam\\n } | false |
| src/fastify.js:55:5:55:17 | request.query | parameter | src/fastify.js:54:17:58:3 | functio ... ms;\\n } | false |
| src/fastify.js:56:5:56:16 | request.body | body | src/fastify.js:54:17:58:3 | functio ... ms;\\n } | true |
| src/fastify.js:57:5:57:18 | request.params | parameter | src/fastify.js:54:17:58:3 | functio ... ms;\\n } | false |
| src/fastify.js:66:5:66:17 | request.query | parameter | src/fastify.js:65:17:69:3 | functio ... ms;\\n } | false |
| src/fastify.js:67:5:67:16 | request.body | body | src/fastify.js:65:17:69:3 | functio ... ms;\\n } | true |
| src/fastify.js:68:5:68:18 | request.params | parameter | src/fastify.js:65:17:69:3 | functio ... ms;\\n } | false |
| src/fastify.js:77:5:77:17 | request.query | parameter | src/fastify.js:76:17:80:3 | functio ... ms;\\n } | true |
| src/fastify.js:78:5:78:16 | request.body | body | src/fastify.js:76:17:80:3 | functio ... ms;\\n } | false |
| src/fastify.js:79:5:79:18 | request.params | parameter | src/fastify.js:76:17:80:3 | functio ... ms;\\n } | true |
| src/fastify.js:88:5:88:17 | request.query | parameter | src/fastify.js:87:17:91:3 | functio ... ms;\\n } | false |
| src/fastify.js:89:5:89:16 | request.body | body | src/fastify.js:87:17:91:3 | functio ... ms;\\n } | true |
| src/fastify.js:90:5:90:18 | request.params | parameter | src/fastify.js:87:17:91:3 | functio ... ms;\\n } | false |
test_RouteHandler_getAResponseHeader
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | name | src/fastify.js:42:5:42:33 | reply.h ... value") |
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | name | src/fastify.js:43:5:43:36 | reply.h ... lue" }) |
test_HeaderDefinition_defines
| src/fastify.js:42:5:42:33 | reply.h ... value") | name | value |
| src/fastify.js:43:5:43:36 | reply.h ... lue" }) | name | value |
test_HeaderDefinition
| src/fastify.js:42:5:42:33 | reply.h ... value") | src/fastify.js:34:17:46:3 | functio ... eam\\n } |
| src/fastify.js:43:5:43:36 | reply.h ... lue" }) | src/fastify.js:34:17:46:3 | functio ... eam\\n } |
test_RouteSetup_getServer
| src/fastify.js:3:1:8:1 | fastify ... e\\n }\\n) | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:23:1:29:1 | fastify ... e\\n }\\n) | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:31:1:47:1 | fastify ... m\\n }\\n) | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:52:1:59:1 | fastify ... ;\\n }\\n) | src/fastify.js:50:27:50:46 | require("fastify")() |
| src/fastify.js:63:1:70:1 | fastify ... ;\\n }\\n) | src/fastify.js:61:27:61:46 | require("fastify")() |
| src/fastify.js:74:1:81:1 | fastify ... ;\\n }\\n) | src/fastify.js:72:27:72:46 | require("fastify")() |
| src/fastify.js:85:1:92:1 | fastify ... ;\\n }\\n) | src/fastify.js:83:27:83:46 | require("fastify")() |
test_HeaderDefinition_getAHeaderName
| src/fastify.js:42:5:42:33 | reply.h ... value") | name |
| src/fastify.js:43:5:43:36 | reply.h ... lue" }) | name |
test_ServerDefinition
| src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:50:27:50:46 | require("fastify")() |
| src/fastify.js:61:27:61:46 | require("fastify")() |
| src/fastify.js:72:27:72:46 | require("fastify")() |
| src/fastify.js:83:27:83:46 | require("fastify")() |
test_HeaderAccess
| src/fastify.js:39:5:39:24 | request.headers.name | name |
test_RouteSetup_getARouteHandler
| src/fastify.js:3:1:8:1 | fastify ... e\\n }\\n) | src/fastify.js:5:17:7:3 | async ( ... nse\\n } |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:13:28:13:55 | (reques ... ) => {} |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:14:29:14:56 | (reques ... ) => {} |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:15:32:15:59 | (reques ... ) => {} |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:16:29:16:56 | (reques ... ) => {} |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:17:35:17:71 | (reques ... ) => {} |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:18:25:18:61 | (reques ... ) => {} |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:19:29:19:56 | (reques ... ) => {} |
| src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:20:26:20:47 | (reques ... ) => {} |
| src/fastify.js:23:1:29:1 | fastify ... e\\n }\\n) | src/fastify.js:26:17:28:3 | (reques ... nse\\n } |
| src/fastify.js:31:1:47:1 | fastify ... m\\n }\\n) | src/fastify.js:34:17:46:3 | functio ... eam\\n } |
| src/fastify.js:52:1:59:1 | fastify ... ;\\n }\\n) | src/fastify.js:54:17:58:3 | functio ... ms;\\n } |
| src/fastify.js:63:1:70:1 | fastify ... ;\\n }\\n) | src/fastify.js:65:17:69:3 | functio ... ms;\\n } |
| src/fastify.js:74:1:81:1 | fastify ... ;\\n }\\n) | src/fastify.js:76:17:80:3 | functio ... ms;\\n } |
| src/fastify.js:85:1:92:1 | fastify ... ;\\n }\\n) | src/fastify.js:87:17:91:3 | functio ... ms;\\n } |
test_RouteHandler
| src/fastify.js:5:17:7:3 | async ( ... nse\\n } | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:13:28:13:55 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:14:29:14:56 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:15:32:15:59 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:16:29:16:56 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:17:35:17:71 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:18:25:18:61 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:19:29:19:56 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:20:26:20:47 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:26:17:28:3 | (reques ... nse\\n } | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | src/fastify.js:1:15:1:34 | require("fastify")() |
| src/fastify.js:54:17:58:3 | functio ... ms;\\n } | src/fastify.js:50:27:50:46 | require("fastify")() |
| src/fastify.js:65:17:69:3 | functio ... ms;\\n } | src/fastify.js:61:27:61:46 | require("fastify")() |
| src/fastify.js:76:17:80:3 | functio ... ms;\\n } | src/fastify.js:72:27:72:46 | require("fastify")() |
| src/fastify.js:87:17:91:3 | functio ... ms;\\n } | src/fastify.js:83:27:83:46 | require("fastify")() |
test_RouteHandler_getARequestExpr
| src/fastify.js:5:17:7:3 | async ( ... nse\\n } | src/fastify.js:5:24:5:30 | request |
| src/fastify.js:13:28:13:55 | (reques ... ) => {} | src/fastify.js:13:29:13:35 | request |
| src/fastify.js:14:29:14:56 | (reques ... ) => {} | src/fastify.js:14:30:14:36 | request |
| src/fastify.js:15:32:15:59 | (reques ... ) => {} | src/fastify.js:15:33:15:39 | request |
| src/fastify.js:16:29:16:56 | (reques ... ) => {} | src/fastify.js:16:30:16:36 | request |
| src/fastify.js:17:35:17:71 | (reques ... ) => {} | src/fastify.js:17:36:17:42 | request |
| src/fastify.js:18:25:18:61 | (reques ... ) => {} | src/fastify.js:18:26:18:32 | request |
| src/fastify.js:19:29:19:56 | (reques ... ) => {} | src/fastify.js:19:30:19:36 | request |
| src/fastify.js:20:26:20:47 | (reques ... ) => {} | src/fastify.js:20:27:20:33 | request |
| src/fastify.js:26:17:28:3 | (reques ... nse\\n } | src/fastify.js:26:18:26:24 | request |
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | src/fastify.js:34:26:34:32 | request |
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | src/fastify.js:36:5:36:11 | request |
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | src/fastify.js:37:5:37:11 | request |
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | src/fastify.js:38:5:38:11 | request |
| src/fastify.js:34:17:46:3 | functio ... eam\\n } | src/fastify.js:39:5:39:11 | request |
| src/fastify.js:54:17:58:3 | functio ... ms;\\n } | src/fastify.js:54:26:54:32 | request |
| src/fastify.js:54:17:58:3 | functio ... ms;\\n } | src/fastify.js:55:5:55:11 | request |
| src/fastify.js:54:17:58:3 | functio ... ms;\\n } | src/fastify.js:56:5:56:11 | request |
| src/fastify.js:54:17:58:3 | functio ... ms;\\n } | src/fastify.js:57:5:57:11 | request |
| src/fastify.js:65:17:69:3 | functio ... ms;\\n } | src/fastify.js:65:26:65:32 | request |
| src/fastify.js:65:17:69:3 | functio ... ms;\\n } | src/fastify.js:66:5:66:11 | request |
| src/fastify.js:65:17:69:3 | functio ... ms;\\n } | src/fastify.js:67:5:67:11 | request |
| src/fastify.js:65:17:69:3 | functio ... ms;\\n } | src/fastify.js:68:5:68:11 | request |
| src/fastify.js:76:17:80:3 | functio ... ms;\\n } | src/fastify.js:76:26:76:32 | request |
| src/fastify.js:76:17:80:3 | functio ... ms;\\n } | src/fastify.js:77:5:77:11 | request |
| src/fastify.js:76:17:80:3 | functio ... ms;\\n } | src/fastify.js:78:5:78:11 | request |
| src/fastify.js:76:17:80:3 | functio ... ms;\\n } | src/fastify.js:79:5:79:11 | request |
| src/fastify.js:87:17:91:3 | functio ... ms;\\n } | src/fastify.js:87:26:87:32 | request |
| src/fastify.js:87:17:91:3 | functio ... ms;\\n } | src/fastify.js:88:5:88:11 | request |
| src/fastify.js:87:17:91:3 | functio ... ms;\\n } | src/fastify.js:89:5:89:11 | request |
| src/fastify.js:87:17:91:3 | functio ... ms;\\n } | src/fastify.js:90:5:90:11 | request |
test_ResponseSendArgument
| src/fastify.js:6:12:6:29 | { hello: "world" } | src/fastify.js:5:17:7:3 | async ( ... nse\\n } |
| src/fastify.js:27:16:27:33 | { hello: "world" } | src/fastify.js:26:17:28:3 | (reques ... nse\\n } |
| src/fastify.js:45:16:45:22 | payload | src/fastify.js:34:17:46:3 | functio ... eam\\n } |
test_RedirectInvocation
| src/fastify.js:44:5:44:29 | reply.r ... e, url) | src/fastify.js:34:17:46:3 | functio ... eam\\n } |

14
javascript/ql/test/library-tests/frameworks/fastify/tests.ql Normal file
View File

@@ -0,0 +1,14 @@
import RouteSetup
import RequestInputAccess
import RouteHandler_getAResponseHeader
import HeaderDefinition_defines
import HeaderDefinition
import RouteSetup_getServer
import HeaderDefinition_getAHeaderName
import ServerDefinition
import HeaderAccess
import RouteSetup_getARouteHandler
import RouteHandler
import RouteHandler_getARequestExpr
import ResponseSendArgument
import RedirectInvocation

8
javascript/ql/test/library-tests/frameworks/hapi/tests.expected
View File

@@ -46,18 +46,26 @@ test_RouteHandler
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:4:15:4:31 | new Hapi.Server() |
| src/hapi.js:34:12:34:30 | function (req, h){} | src/hapi.js:4:15:4:31 | new Hapi.Server() |
test_RequestExpr
| src/hapi.js:13:32:13:38 | request | src/hapi.js:13:14:15:5 | functio ... n\\n } |
| src/hapi.js:14:9:14:15 | request | src/hapi.js:13:14:15:5 | functio ... n\\n } |
| src/hapi.js:17:48:17:54 | request | src/hapi.js:17:30:18:1 | functio ... ndler\\n} |
| src/hapi.js:20:19:20:25 | request | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
| src/hapi.js:21:3:21:9 | request | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
| src/hapi.js:22:3:22:9 | request | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
| src/hapi.js:23:3:23:9 | request | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
| src/hapi.js:24:3:24:9 | request | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
| src/hapi.js:25:3:25:9 | request | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
| src/hapi.js:26:3:26:9 | request | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
| src/hapi.js:34:22:34:24 | req | src/hapi.js:34:12:34:30 | function (req, h){} |
test_RouteHandler_getARequestExpr
| src/hapi.js:13:14:15:5 | functio ... n\\n } | src/hapi.js:13:32:13:38 | request |
| src/hapi.js:13:14:15:5 | functio ... n\\n } | src/hapi.js:14:9:14:15 | request |
| src/hapi.js:17:30:18:1 | functio ... ndler\\n} | src/hapi.js:17:48:17:54 | request |
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:20:19:20:25 | request |
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:21:3:21:9 | request |
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:22:3:22:9 | request |
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:23:3:23:9 | request |
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:24:3:24:9 | request |
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:25:3:25:9 | request |
| src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:26:3:26:9 | request |
| src/hapi.js:34:12:34:30 | function (req, h){} | src/hapi.js:34:22:34:24 | req |

6
javascript/ql/test/library-tests/frameworks/koa/tests.expected
View File

@@ -46,6 +46,7 @@ test_ResponseExpr
| src/koa.js:18:3:18:14 | ctx.response | src/koa.js:10:10:28:1 | functio ... az');\\n} |
| src/koa.js:44:2:44:13 | ctx.response | src/koa.js:30:10:45:1 | async c ... url);\\n} |
test_RouteHandler_getAContextExpr
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:10:28:10:30 | ctx |
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:11:3:11:6 | this |
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:12:3:12:6 | this |
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:13:3:13:5 | ctx |
@@ -61,6 +62,7 @@ test_RouteHandler_getAContextExpr
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:25:3:25:5 | ctx |
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:26:3:26:5 | ctx |
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:27:3:27:5 | ctx |
| src/koa.js:30:10:45:1 | async c ... url);\\n} | src/koa.js:30:16:30:18 | ctx |
| src/koa.js:30:10:45:1 | async c ... url);\\n} | src/koa.js:31:2:31:4 | ctx |
| src/koa.js:30:10:45:1 | async c ... url);\\n} | src/koa.js:32:2:32:4 | ctx |
| src/koa.js:30:10:45:1 | async c ... url);\\n} | src/koa.js:33:2:33:4 | ctx |
@@ -74,6 +76,7 @@ test_RouteHandler_getAContextExpr
| src/koa.js:30:10:45:1 | async c ... url);\\n} | src/koa.js:42:12:42:14 | ctx |
| src/koa.js:30:10:45:1 | async c ... url);\\n} | src/koa.js:43:2:43:4 | ctx |
| src/koa.js:30:10:45:1 | async c ... url);\\n} | src/koa.js:44:2:44:4 | ctx |
| src/koa.js:47:10:56:1 | async c ... .foo;\\n} | src/koa.js:47:16:47:18 | ctx |
| src/koa.js:47:10:56:1 | async c ... .foo;\\n} | src/koa.js:48:16:48:18 | ctx |
| src/koa.js:47:10:56:1 | async c ... .foo;\\n} | src/koa.js:51:14:51:16 | ctx |
| src/koa.js:47:10:56:1 | async c ... .foo;\\n} | src/koa.js:54:16:54:18 | ctx |
@@ -152,6 +155,7 @@ test_RouteHandler_getARequestExpr
| src/koa.js:10:10:28:1 | functio ... az');\\n} | src/koa.js:26:3:26:13 | ctx.request |
| src/koa.js:59:10:61:1 | functio ... .url;\\n} | src/koa.js:60:2:60:13 | this.request |
test_ContextExpr
| src/koa.js:10:28:10:30 | ctx | src/koa.js:10:10:28:1 | functio ... az');\\n} |
| src/koa.js:11:3:11:6 | this | src/koa.js:10:10:28:1 | functio ... az');\\n} |
| src/koa.js:12:3:12:6 | this | src/koa.js:10:10:28:1 | functio ... az');\\n} |
| src/koa.js:13:3:13:5 | ctx | src/koa.js:10:10:28:1 | functio ... az');\\n} |
@@ -167,6 +171,7 @@ test_ContextExpr
| src/koa.js:25:3:25:5 | ctx | src/koa.js:10:10:28:1 | functio ... az');\\n} |
| src/koa.js:26:3:26:5 | ctx | src/koa.js:10:10:28:1 | functio ... az');\\n} |
| src/koa.js:27:3:27:5 | ctx | src/koa.js:10:10:28:1 | functio ... az');\\n} |
| src/koa.js:30:16:30:18 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
| src/koa.js:31:2:31:4 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
| src/koa.js:32:2:32:4 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
| src/koa.js:33:2:33:4 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
@@ -180,6 +185,7 @@ test_ContextExpr
| src/koa.js:42:12:42:14 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
| src/koa.js:43:2:43:4 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
| src/koa.js:44:2:44:4 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
| src/koa.js:47:16:47:18 | ctx | src/koa.js:47:10:56:1 | async c ... .foo;\\n} |
| src/koa.js:48:16:48:18 | ctx | src/koa.js:47:10:56:1 | async c ... .foo;\\n} |
| src/koa.js:51:14:51:16 | ctx | src/koa.js:47:10:56:1 | async c ... .foo;\\n} |
| src/koa.js:54:16:54:18 | ctx | src/koa.js:47:10:56:1 | async c ... .foo;\\n} |

8
javascript/ql/test/library-tests/frameworks/restify/tests.expected
View File

@@ -17,7 +17,9 @@ test_HeaderDefinition_defines
| src/test.js:10:5:10:34 | respons ... 1', '') | header1 | |
| src/test.js:13:5:13:37 | respons ... 2', '') | header2 | |
test_ResponseExpr
| src/test.js:9:46:9:53 | response | src/test.js:9:19:11:1 | functio ... ition\\n} |
| src/test.js:10:5:10:12 | response | src/test.js:9:19:11:1 | functio ... ition\\n} |
| src/test.js:12:46:12:53 | response | src/test.js:12:19:22:1 | functio ... okie;\\n} |
| src/test.js:13:5:13:12 | response | src/test.js:12:19:22:1 | functio ... okie;\\n} |
test_HeaderDefinition
| src/test.js:10:5:10:34 | respons ... 1', '') | src/test.js:9:19:11:1 | functio ... ition\\n} |
@@ -33,7 +35,9 @@ test_ServerDefinition
| src/test.js:1:15:1:47 | require ... erver() |
| src/test.js:4:15:4:36 | restify ... erver() |
test_RouteHandler_getAResponseExpr
| src/test.js:9:19:11:1 | functio ... ition\\n} | src/test.js:9:46:9:53 | response |
| src/test.js:9:19:11:1 | functio ... ition\\n} | src/test.js:10:5:10:12 | response |
| src/test.js:12:19:22:1 | functio ... okie;\\n} | src/test.js:12:46:12:53 | response |
| src/test.js:12:19:22:1 | functio ... okie;\\n} | src/test.js:13:5:13:12 | response |
test_RouteSetup_getARouteHandler
| src/test.js:7:1:7:26 | server2 ... ndler1) | src/test.js:6:1:6:21 | functio ... er1(){} |
@@ -44,6 +48,8 @@ test_RouteHandler
| src/test.js:9:19:11:1 | functio ... ition\\n} | src/test.js:4:15:4:36 | restify ... erver() |
| src/test.js:12:19:22:1 | functio ... okie;\\n} | src/test.js:4:15:4:36 | restify ... erver() |
test_RequestExpr
| src/test.js:9:37:9:43 | request | src/test.js:9:19:11:1 | functio ... ition\\n} |
| src/test.js:12:37:12:43 | request | src/test.js:12:19:22:1 | functio ... okie;\\n} |
| src/test.js:14:5:14:11 | request | src/test.js:12:19:22:1 | functio ... okie;\\n} |
| src/test.js:15:5:15:11 | request | src/test.js:12:19:22:1 | functio ... okie;\\n} |
| src/test.js:16:5:16:11 | request | src/test.js:12:19:22:1 | functio ... okie;\\n} |
@@ -53,6 +59,8 @@ test_RequestExpr
| src/test.js:20:5:20:11 | request | src/test.js:12:19:22:1 | functio ... okie;\\n} |
| src/test.js:21:5:21:11 | request | src/test.js:12:19:22:1 | functio ... okie;\\n} |
test_RouteHandler_getARequestExpr
| src/test.js:9:19:11:1 | functio ... ition\\n} | src/test.js:9:37:9:43 | request |
| src/test.js:12:19:22:1 | functio ... okie;\\n} | src/test.js:12:37:12:43 | request |
| src/test.js:12:19:22:1 | functio ... okie;\\n} | src/test.js:14:5:14:11 | request |
| src/test.js:12:19:22:1 | functio ... okie;\\n} | src/test.js:15:5:15:11 | request |
| src/test.js:12:19:22:1 | functio ... okie;\\n} | src/test.js:16:5:16:11 | request |

5
javascript/ql/test/query-tests/Declarations/UnusedProperty/tst-yield.js Normal file
View File

@@ -0,0 +1,5 @@
async function* f() {
yield* {
get p() { }
};
}

40
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected
View File

@@ -2,36 +2,55 @@ nodes
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
| TarSlipBad.js:6:36:6:46 | header.name |
| TarSlipBad.js:6:36:6:46 | header.name |
| TarSlipBad.js:6:36:6:46 | header.name |
| TarSlipBad.js:6:36:6:46 | header.name |
| TarSlipBad.js:9:17:9:31 | header.linkname |
| TarSlipBad.js:9:17:9:31 | header.linkname |
| TarSlipBad.js:9:17:9:31 | header.linkname |
| TarSlipBad.js:9:17:9:31 | header.linkname |
| ZipSlipBad2.js:5:9:5:46 | fileName |
| ZipSlipBad2.js:5:9:5:46 | fileName |
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad2.js:5:37:5:46 | entry.path |
| ZipSlipBad2.js:5:37:5:46 | entry.path |
| ZipSlipBad2.js:5:37:5:46 | entry.path |
| ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBad.js:7:22:7:31 | entry.path |
| ZipSlipBad.js:7:22:7:31 | entry.path |
| ZipSlipBad.js:7:22:7:31 | entry.path |
| ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:15:11:15:31 | fileName |
| ZipSlipBad.js:15:11:15:31 | fileName |
| ZipSlipBad.js:15:22:15:31 | entry.path |
| ZipSlipBad.js:15:22:15:31 | entry.path |
| ZipSlipBad.js:15:22:15:31 | entry.path |
| ZipSlipBad.js:16:30:16:37 | fileName |
| ZipSlipBad.js:16:30:16:37 | fileName |
| ZipSlipBad.js:16:30:16:37 | fileName |
| ZipSlipBad.js:22:11:22:31 | fileName |
| ZipSlipBad.js:22:11:22:31 | fileName |
| ZipSlipBad.js:22:22:22:31 | entry.path |
| ZipSlipBad.js:22:22:22:31 | entry.path |
| ZipSlipBad.js:22:22:22:31 | entry.path |
| ZipSlipBad.js:23:28:23:35 | fileName |
| ZipSlipBad.js:23:28:23:35 | fileName |
| ZipSlipBad.js:23:28:23:35 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
edges
@@ -40,23 +59,44 @@ edges
| TarSlipBad.js:9:17:9:31 | header.linkname | TarSlipBad.js:9:17:9:31 | header.linkname |
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName |
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName |
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
#select

22
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js
View File

@@ -15,3 +15,25 @@ fs.createReadStream('archive.zip')
fs.createWriteStream(path.join(cwd, path.join('/', fileName)));
});
fs.createReadStream('archive.zip')
.pipe(unzip.Parse())
.on('entry', entry => {
const fileName = path.normalize(entry.path);
if (path.isAbsolute(fileName)) {
return;
}
if (!fileName.startsWith(".")) {
entry.pipe(fs.createWriteStream(fileName)); // OK.
}
});
fs.createReadStream('archive.zip')
.pipe(unzip.Parse())
.on('entry', entry => {
const fileName = path.normalize(entry.path);
entry.pipe(fs.createWriteStream(path.basename(fileName))); // OK.
});

18
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
View File

@@ -3,6 +3,7 @@ nodes
| child_process-test.js:6:15:6:38 | url.par ... , true) |
| child_process-test.js:6:15:6:44 | url.par ... ).query |
| child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:25:6:31 | req.url |
| child_process-test.js:6:25:6:31 | req.url |
| child_process-test.js:17:13:17:15 | cmd |
@@ -93,6 +94,12 @@ nodes
| other.js:18:22:18:24 | cmd |
| other.js:19:36:19:38 | cmd |
| other.js:19:36:19:38 | cmd |
| other.js:22:21:22:23 | cmd |
| other.js:22:21:22:23 | cmd |
| other.js:23:28:23:30 | cmd |
| other.js:23:28:23:30 | cmd |
| other.js:26:34:26:36 | cmd |
| other.js:26:34:26:36 | cmd |
| third-party-command-injection.js:5:20:5:26 | command |
| third-party-command-injection.js:5:20:5:26 | command |
| third-party-command-injection.js:6:21:6:27 | command |
@@ -124,6 +131,7 @@ edges
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:54:46:54:48 | cmd |
| child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:44 | url.par ... ).query |
| child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd |
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
@@ -184,6 +192,12 @@ edges
| other.js:5:9:5:49 | cmd | other.js:18:22:18:24 | cmd |
| other.js:5:9:5:49 | cmd | other.js:19:36:19:38 | cmd |
| other.js:5:9:5:49 | cmd | other.js:19:36:19:38 | cmd |
| other.js:5:9:5:49 | cmd | other.js:22:21:22:23 | cmd |
| other.js:5:9:5:49 | cmd | other.js:22:21:22:23 | cmd |
| other.js:5:9:5:49 | cmd | other.js:23:28:23:30 | cmd |
| other.js:5:9:5:49 | cmd | other.js:23:28:23:30 | cmd |
| other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
| other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
| other.js:5:15:5:38 | url.par ... , true) | other.js:5:15:5:44 | url.par ... ).query |
| other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path |
| other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd |
@@ -209,6 +223,7 @@ edges
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:25:53:58 | ['/C', ... , cmd]) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:46:53:57 | ["bar", cmd] | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:54:53:56 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:49 | url.par ... ry.path | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:54:25:54:49 | ['/C', ... at(cmd) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:59:5:59:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
@@ -226,4 +241,7 @@ edges
| other.js:17:27:17:29 | cmd | other.js:5:25:5:31 | req.url | other.js:17:27:17:29 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| other.js:18:22:18:24 | cmd | other.js:5:25:5:31 | req.url | other.js:18:22:18:24 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| other.js:19:36:19:38 | cmd | other.js:5:25:5:31 | req.url | other.js:19:36:19:38 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| other.js:22:21:22:23 | cmd | other.js:5:25:5:31 | req.url | other.js:22:21:22:23 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command depends on $@. | third-party-command-injection.js:5:20:5:26 | command | a server-provided value |

435
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected Normal file
View File

@@ -0,0 +1,435 @@
nodes
| lib/lib2.js:3:28:3:31 | name |
| lib/lib2.js:3:28:3:31 | name |
| lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:7:32:7:35 | name |
| lib/lib2.js:7:32:7:35 | name |
| lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:8:22:8:25 | name |
| lib/lib.js:3:28:3:31 | name |
| lib/lib.js:3:28:3:31 | name |
| lib/lib.js:4:22:4:25 | name |
| lib/lib.js:4:22:4:25 | name |
| lib/lib.js:10:32:10:35 | name |
| lib/lib.js:10:32:10:35 | name |
| lib/lib.js:11:22:11:25 | name |
| lib/lib.js:11:22:11:25 | name |
| lib/lib.js:14:36:14:39 | name |
| lib/lib.js:14:36:14:39 | name |
| lib/lib.js:15:22:15:25 | name |
| lib/lib.js:15:22:15:25 | name |
| lib/lib.js:19:34:19:37 | name |
| lib/lib.js:19:34:19:37 | name |
| lib/lib.js:20:22:20:25 | name |
| lib/lib.js:20:22:20:25 | name |
| lib/lib.js:26:35:26:38 | name |
| lib/lib.js:26:35:26:38 | name |
| lib/lib.js:27:22:27:25 | name |
| lib/lib.js:27:22:27:25 | name |
| lib/lib.js:34:14:34:17 | name |
| lib/lib.js:34:14:34:17 | name |
| lib/lib.js:35:23:35:26 | name |
| lib/lib.js:35:23:35:26 | name |
| lib/lib.js:37:13:37:16 | name |
| lib/lib.js:37:13:37:16 | name |
| lib/lib.js:38:23:38:26 | name |
| lib/lib.js:38:23:38:26 | name |
| lib/lib.js:40:6:40:9 | name |
| lib/lib.js:40:6:40:9 | name |
| lib/lib.js:41:23:41:26 | name |
| lib/lib.js:41:23:41:26 | name |
| lib/lib.js:49:31:49:34 | name |
| lib/lib.js:49:31:49:34 | name |
| lib/lib.js:50:47:50:50 | name |
| lib/lib.js:50:47:50:50 | name |
| lib/lib.js:53:33:53:36 | name |
| lib/lib.js:53:33:53:36 | name |
| lib/lib.js:54:25:54:28 | name |
| lib/lib.js:54:25:54:28 | name |
| lib/lib.js:57:25:57:28 | name |
| lib/lib.js:57:25:57:28 | name |
| lib/lib.js:64:41:64:44 | name |
| lib/lib.js:64:41:64:44 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:73:21:73:24 | name |
| lib/lib.js:73:21:73:24 | name |
| lib/lib.js:75:20:75:23 | name |
| lib/lib.js:75:20:75:23 | name |
| lib/lib.js:77:28:77:31 | name |
| lib/lib.js:77:28:77:31 | name |
| lib/lib.js:82:35:82:38 | name |
| lib/lib.js:82:35:82:38 | name |
| lib/lib.js:83:22:83:25 | name |
| lib/lib.js:83:22:83:25 | name |
| lib/lib.js:86:13:86:16 | name |
| lib/lib.js:86:13:86:16 | name |
| lib/lib.js:89:21:89:24 | name |
| lib/lib.js:89:21:89:24 | name |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:28:91:31 | name |
| lib/lib.js:97:35:97:38 | name |
| lib/lib.js:97:35:97:38 | name |
| lib/lib.js:98:35:98:38 | name |
| lib/lib.js:98:35:98:38 | name |
| lib/lib.js:100:37:100:40 | name |
| lib/lib.js:100:37:100:40 | name |
| lib/lib.js:102:46:102:49 | name |
| lib/lib.js:102:46:102:49 | name |
| lib/lib.js:108:41:108:44 | name |
| lib/lib.js:108:41:108:44 | name |
| lib/lib.js:111:34:111:37 | name |
| lib/lib.js:111:34:111:37 | name |
| lib/lib.js:112:22:112:25 | name |
| lib/lib.js:112:22:112:25 | name |
| lib/lib.js:120:33:120:36 | name |
| lib/lib.js:120:33:120:36 | name |
| lib/lib.js:121:22:121:25 | name |
| lib/lib.js:121:22:121:25 | name |
| lib/lib.js:130:6:130:9 | name |
| lib/lib.js:130:6:130:9 | name |
| lib/lib.js:131:23:131:26 | name |
| lib/lib.js:131:23:131:26 | name |
| lib/lib.js:148:37:148:40 | name |
| lib/lib.js:148:37:148:40 | name |
| lib/lib.js:149:24:149:27 | name |
| lib/lib.js:149:24:149:27 | name |
| lib/lib.js:155:38:155:41 | name |
| lib/lib.js:155:38:155:41 | name |
| lib/lib.js:161:25:161:28 | name |
| lib/lib.js:161:25:161:28 | name |
| lib/lib.js:170:41:170:44 | name |
| lib/lib.js:170:41:170:44 | name |
| lib/lib.js:173:20:173:23 | name |
| lib/lib.js:173:20:173:23 | name |
| lib/lib.js:177:38:177:41 | name |
| lib/lib.js:177:38:177:41 | name |
| lib/lib.js:181:6:181:52 | broken |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:181:21:181:24 | name |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:186:34:186:37 | name |
| lib/lib.js:186:34:186:37 | name |
| lib/lib.js:187:22:187:25 | name |
| lib/lib.js:187:22:187:25 | name |
| lib/lib.js:190:23:190:26 | name |
| lib/lib.js:190:23:190:26 | name |
| lib/lib.js:196:45:196:48 | name |
| lib/lib.js:196:45:196:48 | name |
| lib/lib.js:197:22:197:25 | name |
| lib/lib.js:197:22:197:25 | name |
| lib/lib.js:200:23:200:26 | name |
| lib/lib.js:200:23:200:26 | name |
| lib/lib.js:206:45:206:48 | name |
| lib/lib.js:206:45:206:48 | name |
| lib/lib.js:207:22:207:25 | name |
| lib/lib.js:207:22:207:25 | name |
| lib/lib.js:212:23:212:26 | name |
| lib/lib.js:212:23:212:26 | name |
| lib/lib.js:216:39:216:42 | name |
| lib/lib.js:216:39:216:42 | name |
| lib/lib.js:217:22:217:25 | name |
| lib/lib.js:217:22:217:25 | name |
| lib/lib.js:220:23:220:26 | name |
| lib/lib.js:220:23:220:26 | name |
| lib/lib.js:224:22:224:25 | name |
| lib/lib.js:224:22:224:25 | name |
| lib/lib.js:227:39:227:42 | name |
| lib/lib.js:227:39:227:42 | name |
| lib/lib.js:228:22:228:25 | name |
| lib/lib.js:228:22:228:25 | name |
| lib/lib.js:236:22:236:25 | name |
| lib/lib.js:236:22:236:25 | name |
| lib/lib.js:248:42:248:45 | name |
| lib/lib.js:248:42:248:45 | name |
| lib/lib.js:249:22:249:25 | name |
| lib/lib.js:249:22:249:25 | name |
| lib/lib.js:257:35:257:38 | name |
| lib/lib.js:257:35:257:38 | name |
| lib/lib.js:258:22:258:25 | name |
| lib/lib.js:258:22:258:25 | name |
| lib/lib.js:261:30:261:33 | name |
| lib/lib.js:261:30:261:33 | name |
| lib/lib.js:267:46:267:48 | obj |
| lib/lib.js:267:46:267:48 | obj |
| lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:307:39:307:42 | name |
| lib/lib.js:307:39:307:42 | name |
| lib/lib.js:308:23:308:26 | name |
| lib/lib.js:308:23:308:26 | name |
edges
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:91:28:91:31 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:91:28:91:31 | name |
| lib/lib.js:91:28:91:31 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:28:91:31 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:24 | name |
| lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:24 | name |
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:181:6:181:52 | broken |
| lib/lib.js:181:21:181:24 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") | lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
#select
| lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
| lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
| lib/lib.js:4:10:4:25 | "rm -rf " + name | lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib.js:4:2:4:26 | cp.exec ... + name) | shell command |
| lib/lib.js:11:10:11:25 | "rm -rf " + name | lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:11:10:11:25 | "rm -rf " + name | String concatenation | lib/lib.js:11:2:11:26 | cp.exec ... + name) | shell command |
| lib/lib.js:15:10:15:25 | "rm -rf " + name | lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:15:10:15:25 | "rm -rf " + name | String concatenation | lib/lib.js:15:2:15:26 | cp.exec ... + name) | shell command |
| lib/lib.js:20:10:20:25 | "rm -rf " + name | lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:20:10:20:25 | "rm -rf " + name | String concatenation | lib/lib.js:20:2:20:26 | cp.exec ... + name) | shell command |
| lib/lib.js:27:10:27:25 | "rm -rf " + name | lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:27:10:27:25 | "rm -rf " + name | String concatenation | lib/lib.js:27:2:27:26 | cp.exec ... + name) | shell command |
| lib/lib.js:35:11:35:26 | "rm -rf " + name | lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:35:11:35:26 | "rm -rf " + name | String concatenation | lib/lib.js:35:3:35:27 | cp.exec ... + name) | shell command |
| lib/lib.js:38:11:38:26 | "rm -rf " + name | lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:38:11:38:26 | "rm -rf " + name | String concatenation | lib/lib.js:38:3:38:27 | cp.exec ... + name) | shell command |
| lib/lib.js:41:11:41:26 | "rm -rf " + name | lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:41:11:41:26 | "rm -rf " + name | String concatenation | lib/lib.js:41:3:41:27 | cp.exec ... + name) | shell command |
| lib/lib.js:50:35:50:50 | "rm -rf " + name | lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name | $@ based on libary input is later used in $@. | lib/lib.js:50:35:50:50 | "rm -rf " + name | String concatenation | lib/lib.js:50:2:50:51 | require ... + name) | shell command |
| lib/lib.js:54:13:54:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:54:13:54:28 | "rm -rf " + name | String concatenation | lib/lib.js:55:2:55:14 | cp.exec(cmd1) | shell command |
| lib/lib.js:57:13:57:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:57:13:57:28 | "rm -rf " + name | String concatenation | lib/lib.js:59:3:59:14 | cp.exec(cmd) | shell command |
| lib/lib.js:65:10:65:25 | "rm -rf " + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:65:10:65:25 | "rm -rf " + name | String concatenation | lib/lib.js:65:2:65:26 | cp.exec ... + name) | shell command |
| lib/lib.js:71:10:71:31 | "cat /f ... + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name | $@ based on libary input is later used in $@. | lib/lib.js:71:10:71:31 | "cat /f ... + name | String concatenation | lib/lib.js:71:2:71:32 | cp.exec ... + name) | shell command |
| lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name | $@ based on libary input is later used in $@. | lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | String concatenation | lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | shell command |
| lib/lib.js:75:10:75:29 | "cat '" + name + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name | $@ based on libary input is later used in $@. | lib/lib.js:75:10:75:29 | "cat '" + name + "'" | String concatenation | lib/lib.js:75:2:75:30 | cp.exec ... + "'") | shell command |
| lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name | $@ based on libary input is later used in $@. | lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | String concatenation | lib/lib.js:77:2:77:38 | cp.exec ... + "'") | shell command |
| lib/lib.js:83:10:83:25 | "rm -rf " + name | lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:83:10:83:25 | "rm -rf " + name | String concatenation | lib/lib.js:83:2:83:26 | cp.exec ... + name) | shell command |
| lib/lib.js:86:13:86:16 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name | $@ based on libary input is later used in $@. | lib/lib.js:86:13:86:16 | name | Array element | lib/lib.js:87:2:87:25 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:89:21:89:24 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name | $@ based on libary input is later used in $@. | lib/lib.js:89:21:89:24 | name | Array element | lib/lib.js:89:2:89:36 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | lib/lib.js:82:35:82:38 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | $@ based on libary input is later used in $@. | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | Array element | lib/lib.js:91:2:91:50 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:98:35:98:38 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name | $@ based on libary input is later used in $@. | lib/lib.js:98:35:98:38 | name | Formatted string | lib/lib.js:98:2:98:40 | cp.exec ... name)) | shell command |
| lib/lib.js:100:37:100:40 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name | $@ based on libary input is later used in $@. | lib/lib.js:100:37:100:40 | name | Formatted string | lib/lib.js:100:2:100:42 | cp.exec ... name)) | shell command |
| lib/lib.js:102:46:102:49 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name | $@ based on libary input is later used in $@. | lib/lib.js:102:46:102:49 | name | Formatted string | lib/lib.js:102:2:102:51 | cp.exec ... name)) | shell command |
| lib/lib.js:108:41:108:44 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name | $@ based on libary input is later used in $@. | lib/lib.js:108:41:108:44 | name | Formatted string | lib/lib.js:108:2:108:46 | cp.exec ... name)) | shell command |
| lib/lib.js:112:10:112:25 | "rm -rf " + name | lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:112:10:112:25 | "rm -rf " + name | String concatenation | lib/lib.js:112:2:112:26 | cp.exec ... + name) | shell command |
| lib/lib.js:121:10:121:25 | "rm -rf " + name | lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:121:10:121:25 | "rm -rf " + name | String concatenation | lib/lib.js:121:2:121:26 | cp.exec ... + name) | shell command |
| lib/lib.js:131:11:131:26 | "rm -rf " + name | lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:131:11:131:26 | "rm -rf " + name | String concatenation | lib/lib.js:131:3:131:27 | cp.exec ... + name) | shell command |
| lib/lib.js:149:12:149:27 | "rm -rf " + name | lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name | $@ based on libary input is later used in $@. | lib/lib.js:149:12:149:27 | "rm -rf " + name | String concatenation | lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | shell command |
| lib/lib.js:161:13:161:28 | "rm -rf " + name | lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:161:13:161:28 | "rm -rf " + name | String concatenation | lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | shell command |
| lib/lib.js:173:10:173:23 | "fo \| " + name | lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name | $@ based on libary input is later used in $@. | lib/lib.js:173:10:173:23 | "fo \| " + name | String concatenation | lib/lib.js:173:2:173:24 | cp.exec ... + name) | shell command |
| lib/lib.js:182:10:182:27 | "rm -rf " + broken | lib/lib.js:177:38:177:41 | name | lib/lib.js:182:22:182:27 | broken | $@ based on libary input is later used in $@. | lib/lib.js:182:10:182:27 | "rm -rf " + broken | String concatenation | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command |
| lib/lib.js:187:10:187:25 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:187:10:187:25 | "rm -rf " + name | String concatenation | lib/lib.js:187:2:187:26 | cp.exec ... + name) | shell command |
| lib/lib.js:190:11:190:26 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:190:11:190:26 | "rm -rf " + name | String concatenation | lib/lib.js:190:3:190:27 | cp.exec ... + name) | shell command |
| lib/lib.js:197:10:197:25 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:197:10:197:25 | "rm -rf " + name | String concatenation | lib/lib.js:197:2:197:26 | cp.exec ... + name) | shell command |
| lib/lib.js:200:11:200:26 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:200:11:200:26 | "rm -rf " + name | String concatenation | lib/lib.js:200:3:200:27 | cp.exec ... + name) | shell command |
| lib/lib.js:207:10:207:25 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:207:10:207:25 | "rm -rf " + name | String concatenation | lib/lib.js:207:2:207:26 | cp.exec ... + name) | shell command |
| lib/lib.js:212:11:212:26 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:212:11:212:26 | "rm -rf " + name | String concatenation | lib/lib.js:212:3:212:27 | cp.exec ... + name) | shell command |
| lib/lib.js:217:10:217:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:217:10:217:25 | "rm -rf " + name | String concatenation | lib/lib.js:217:2:217:26 | cp.exec ... + name) | shell command |
| lib/lib.js:220:11:220:26 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:220:11:220:26 | "rm -rf " + name | String concatenation | lib/lib.js:220:3:220:27 | cp.exec ... + name) | shell command |
| lib/lib.js:224:10:224:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:224:10:224:25 | "rm -rf " + name | String concatenation | lib/lib.js:224:2:224:26 | cp.exec ... + name) | shell command |
| lib/lib.js:228:10:228:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:228:10:228:25 | "rm -rf " + name | String concatenation | lib/lib.js:228:2:228:26 | cp.exec ... + name) | shell command |
| lib/lib.js:236:10:236:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:236:10:236:25 | "rm -rf " + name | String concatenation | lib/lib.js:236:2:236:26 | cp.exec ... + name) | shell command |
| lib/lib.js:249:10:249:25 | "rm -rf " + name | lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:249:10:249:25 | "rm -rf " + name | String concatenation | lib/lib.js:249:2:249:26 | cp.exec ... + name) | shell command |
| lib/lib.js:258:10:258:25 | "rm -rf " + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:258:10:258:25 | "rm -rf " + name | String concatenation | lib/lib.js:258:2:258:26 | cp.exec ... + name) | shell command |
| lib/lib.js:261:11:261:33 | "rm -rf ... + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | $@ based on libary input is later used in $@. | lib/lib.js:261:11:261:33 | "rm -rf ... + name | String concatenation | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command |
| lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:268:10:268:32 | "rm -rf ... version | String concatenation | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
| lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |

1
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-078/UnsafeShellCommandConstruction.ql

7
javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected
View File

@@ -1,4 +1,8 @@
readFile
| lib/lib.js:71:2:71:32 | cp.exec ... + name) | fs.readFile("/foO/BAR/" + name) |
| lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | fs.readFile(""" + name + """) |
| lib/lib.js:75:2:75:30 | cp.exec ... + "'") | fs.readFile("'" + name + "'") |
| lib/lib.js:77:2:77:38 | cp.exec ... + "'") | fs.readFile("'/foo/bar" + name + "'") |
| uselesscat.js:10:1:10:43 | exec("c ... ut) {}) | fs.readFile("foo/bar", function(err, out) {...}) |
| uselesscat.js:12:1:14:2 | exec("c ... ut);\\n}) | fs.readFile("/proc/" + id + "/status", function(err, out) {...}) |
| uselesscat.js:16:1:16:29 | execSyn ... uinfo') | fs.readFileSync("/proc/cpuinfo") |
@@ -89,6 +93,9 @@ options
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:53:25:53:58 | ['/C', ... , cmd]) |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:54:25:54:49 | ['/C', ... at(cmd) |
| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:64:17:64:20 | args |
| lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | lib/lib.js:152:21:152:22 | cb |
| lib/lib.js:159:2:159:23 | cp.spaw ... gs, cb) | lib/lib.js:159:21:159:22 | cb |
| lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | lib/lib.js:166:3:166:22 | { stdio: 'inherit' } |
| uselesscat.js:28:1:28:39 | execSyn ... 1000}) | uselesscat.js:28:28:28:38 | {uid: 1000} |
| uselesscat.js:30:1:30:64 | exec('c ... t) { }) | uselesscat.js:30:26:30:38 | { cwd: './' } |
| uselesscat.js:34:1:34:54 | execSyn ... utf8'}) | uselesscat.js:34:36:34:53 | {encoding: 'utf8'} |

312
javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js Normal file
View File

@@ -0,0 +1,312 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK
cp.execFile(name, [name]); // OK
cp.execFile(name, name); // OK
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.foo.bar = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
function cla() { }
cla.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports = new cla();
function cla2() { }
cla2.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.bla = new cla2();
module.exports.lib2 = require("./lib2.js")
class Cla3 {
constructor(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static foo(name) {
cp.exec("rm -rf " + name); // NOT OK
}
bar(name) {
cp.exec("rm -rf " + name); // NOT OK
cp.exec("rm -rf " + notASource); // OK
}
}
module.exports.cla3 = Cla3;
module.exports.mz = function (name) {
require("mz/child_process").exec("rm -rf " + name); // NOT OK.
}
module.exports.flow = function (name) {
var cmd1 = "rm -rf " + name;
cp.exec(cmd1); // NOT OK.
var cmd2 = "rm -rf " + name;
function myExec(cmd) {
cp.exec(cmd); // NOT OK.
}
myExec(cmd2);
}
module.exports.stringConcat = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
cp.exec(name); // OK.
cp.exec("for foo in (" + name + ") do bla end"); // OK.
cp.exec("cat /foO/BAR/" + name) // NOT OK.
cp.exec("cat \"" + name + "\"") // NOT OK.
cp.exec("cat '" + name + "'") // NOT OK.
cp.exec("cat '/foo/bar" + name + "'") // NOT OK.
cp.exec(name + " some file") // OK.
}
module.exports.arrays = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
var args1 = ["node"];
args1.push(name);
cp.exec(args1.join(" ")); // NOT OK.
cp.exec(["rm -rf", name].join(" ")); // NOT OK.
cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK.
cp.execFile("rm", ["-rf", name]); // OK
}
var util = require("util");
module.exports.format = function (name) {
cp.exec(util.format("rm -rf %s", name)); // NOT OK
cp.exec(util.format("rm -rf '%s'", name)); // NOT OK
cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK
cp.exec(util.format("%s foo/bar", name)); // OK
cp.exec(util.format("for foo in (%s) do bar end", name)); // OK
cp.exec(require("printf")('rm -rf %s', name)); // NOT OK
}
module.exports.valid = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isValidName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.safe = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isSafeName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
class Cla4 {
wha(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static bla(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
constructor(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
}
module.exports.cla4 = new Cla4();
function Cla5(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
module.exports.cla5 = new Cla5();
module.exports.indirect = function (name) {
let cmd = "rm -rf " + name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb); // NOT OK
}
module.exports.indirect2 = function (name) {
let cmd = name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb); // OK
let cmd2 = "rm -rf " + name;
var args2 = [cmd2];
cp.spawn(
'cmd.exe',
['/C', editor].concat(args2),
{ stdio: 'inherit' }
);
}
module.exports.cmd = function (command, name) {
cp.exec("fo | " + command); // OK
cp.exec("fo | " + name); // NOT OK
}
module.exports.sanitizer = function (name) {
var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
cp.exec("rm -rf " + sanitized); // OK
var broken = "'" + name.replace(/'/g, "'\''") + "'"
cp.exec("rm -rf " + broken); // NOT OK
}
var path = require("path");
module.exports.guard = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!path.exist(name)) {
cp.exec("rm -rf " + name); // NOT OK
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.blacklistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
}
module.exports.whitelistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
cp.exec("rm -rf " + name); // OK
} else {
cp.exec("rm -rf " + name); // NOT OK
}
}
module.exports.blackList2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
process.exit(-1);
}
cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`.
}
module.exports.accessSync = function (name) {
cp.exec("rm -rf " + name); // NOT OK
try {
path.accessSync(name);
} catch (e) {
return;
}
cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer.
}
var cleanInput = function (s) {
if (/[^A-Za-z0-9_\/:=-]/.test(s)) {
s = "'" + s.replace(/'/g, "'\\''") + "'";
s = s.replace(/^(?:'')+/g, '') // unduplicate single-quote at the beginning
.replace(/\\'''/g, "\\'"); // remove non-escaped single-quote if there are enclosed between 2 escaped
}
return s;
}
module.exports.goodSanitizer = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var cleaned = cleanInput(name);
cp.exec("rm -rf " + cleaned); // OK
}
var fs = require("fs");
module.exports.guard2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!fs.existsSync("prefix/" + name)) {
cp.exec("rm -rf prefix/" + name); // NOT OK
return;
}
cp.exec("rm -rf prefix/" + name); // OK
}
module.exports.sanitizerProperty = function (obj) {
cp.exec("rm -rf " + obj.version); // NOT OK
obj.version = "";
cp.exec("rm -rf " + obj.version); // OK - but FP
}
module.exports.Foo = class Foo {
start(opts) {
cp.exec("rm -rf " + opts.bla); // NOT OK
this.opts = {};
this.opts.bla = opts.bla
cp.exec("rm -rf " + this.opts.bla); // NOT OK - but FN
}
}
function sanitizeShellString(str) {
let result = str;
result = result.replace(/>/g, "");
result = result.replace(/</g, "");
result = result.replace(/\*/g, "");
result = result.replace(/\?/g, "");
result = result.replace(/\[/g, "");
result = result.replace(/\]/g, "");
result = result.replace(/\|/g, "");
result = result.replace(/\`/g, "");
result = result.replace(/$/g, "");
result = result.replace(/;/g, "");
result = result.replace(/&/g, "");
result = result.replace(/\)/g, "");
result = result.replace(/\(/g, "");
result = result.replace(/\$/g, "");
result = result.replace(/#/g, "");
result = result.replace(/\\/g, "");
result = result.replace(/\n/g, "");
return result
}
module.exports.sanitizer2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var sanitized = sanitizeShellString(name);
cp.exec("rm -rf " + sanitized); // OK
}

9
javascript/ql/test/query-tests/Security/CWE-078/lib/lib2.js Normal file
View File

@@ -0,0 +1,9 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/other.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // OK, is not exported to a main-module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/index.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // OK - this file belongs in a sub-"module", and is not the primary exported module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/package.json Normal file
View File

@@ -0,0 +1,5 @@
{
"name": "mySubLib",
"version": "0.0.7",
"main": "./index.js"
}

7
javascript/ql/test/query-tests/Security/CWE-078/other.js
View File

@@ -17,4 +17,11 @@ var server = http.createServer(function(req, res) {
require("exec-async")(cmd); // NOT OK
require("execa")(cmd); // NOT OK
require("remote-exec")(target, cmd); // NOT OK
const ssh2 = require("ssh2");
new ssh2().exec(cmd); // NOT OK
new ssh2.Client().exec(cmd); // NOT OK
const SSH2Stream = require("ssh2-streams").SSH2Stream;
new SSH2Stream().exec(false, cmd); // NOT OK
});

5
javascript/ql/test/query-tests/Security/CWE-078/package.json Normal file
View File

@@ -0,0 +1,5 @@
{
"name": "myLib",
"version": "0.0.7",
"main": "./lib/lib.js"
}

12
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
View File

@@ -19,6 +19,12 @@ nodes
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id |
| ReflectedXssGood3.js:135:9:135:27 | url |
| ReflectedXssGood3.js:135:15:135:27 | req.params.id |
| ReflectedXssGood3.js:135:15:135:27 | req.params.id |
| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) |
| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) |
| ReflectedXssGood3.js:139:24:139:26 | url |
| etherpad.js:9:5:9:53 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp |
| etherpad.js:9:16:9:30 | req.query.jsonp |
@@ -105,6 +111,11 @@ edges
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssGood3.js:135:9:135:27 | url | ReflectedXssGood3.js:139:24:139:26 | url |
| ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:135:9:135:27 | url |
| ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:135:9:135:27 | url |
| ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) |
| ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) |
| etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response |
| etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
@@ -166,6 +177,7 @@ edges
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |

36
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js
View File

@@ -49,3 +49,39 @@ app.get('/echo', function(req, res) {
res.setHeader('Content-Length', msg.length);
res.end(msg);
});
app.get('/user/:id', function(req, res) {
const url = req.params.id;
if (!/["'&<>]/.exec(url)) {
res.send(url); // OK
}
});
function escapeHtml1 (str) {
if (!/["'&<>]/.exec(str)) {
return str;
}
}
app.get('/user/:id', function(req, res) {
const url = req.params.id;
res.send(escapeHtml1(url)); // OK
});
const matchHtmlRegExp = /["'&<>]/;
function escapeHtml2 (string) {
const str = '' + string;
const match = matchHtmlRegExp.exec(str);
if (!match) {
return str;
}
}
app.get('/user/:id', function(req, res) {
const url = req.params.id;
res.send(escapeHtml2(url)); // OK
});

142
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood3.js Normal file
View File

@@ -0,0 +1,142 @@
var express = require('express');
var app = express();
function escapeHtml1(string) {
var str = "" + string;
let escape;
let html = '';
let lastIndex = 0;
for (let index = 0; index < str.length; index++) {
switch (str.charCodeAt(index)) {
case 34: // "
escape = '&quot;';
break;
case 38: // &
escape = '&amp;';
break;
case 39: // '
escape = '&#39;';
break;
case 60: // <
escape = '&lt;';
break;
case 62: // >
escape = '&gt;';
break;
default:
continue;
}
if (lastIndex !== index) {
html += str.substring(lastIndex, index);
}
lastIndex = index + 1;
html += escape;
}
return lastIndex !== index
? html + str.substring(lastIndex, index)
: html;
}
function escapeHtml2(s) {
var buf = "";
while (i < s.length) {
var ch = s[i++];
switch (ch) {
case '&':
buf += '&amp;';
break;
case '<':
buf += '&lt;';
break;
case '\"':
buf += '&quot;';
break;
default:
buf += ch;
break;
}
}
return buf;
}
function escapeHtml3(value) {
var i = 0;
var XMLChars = {
AMP: 38, // "&"
QUOT: 34, // "\""
LT: 60, // "<"
GT: 62, // ">"
};
var parts = [value.substring(0, i)];
while (i < length) {
switch (ch) {
case XMLChars.AMP:
parts.push('&amp;');
break;
case XMLChars.QUOT:
parts.push('&quot;');
break;
case XMLChars.LT:
parts.push('&lt;');
break;
case XMLChars.GT:
parts.push('&gt;');
break;
}
++i;
var j = i;
while (i < length) {
ch = value.charCodeAt(i);
if (ch === XMLChars.AMP ||
ch === XMLChars.QUOT || ch === XMLChars.LT ||
ch === XMLChars.GT) {
break;
}
i++;
}
if (j < i) {
parts.push(value.substring(j, i));
}
}
return parts.join('');
}
function escapeHtml4(s) {
var buf = "";
while (i < s.length) {
var ch = s.chatAt(i++);
switch (ch) {
case '&':
buf += '&amp;';
break;
case '<':
buf += '&lt;';
break;
case '\"':
buf += '&quot;';
break;
default:
buf += ch;
break;
}
}
return buf;
}
app.get('/user/:id', function (req, res) {
const url = req.params.id;
res.send(escapeHtml1(url)); // OK
res.send(escapeHtml2(url)); // OK
res.send(escapeHtml3(url)); // OK - but FP
res.send(escapeHtml4(url)); // OK
});

1
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected
View File

@@ -3,6 +3,7 @@
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
| exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
| formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
| formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |

105
javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
View File

@@ -36,6 +36,47 @@ nodes
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message |
| nodemailer.js:13:50:13:66 | req.query.message |
| optionalSanitizer.js:2:7:2:39 | target |
| optionalSanitizer.js:2:16:2:32 | document.location |
| optionalSanitizer.js:2:16:2:32 | document.location |
| optionalSanitizer.js:2:16:2:39 | documen ... .search |
| optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:8:7:8:22 | tainted |
| optionalSanitizer.js:8:17:8:22 | target |
| optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:15:9:15:14 | target |
| optionalSanitizer.js:16:18:16:18 | x |
| optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:26:7:26:39 | target |
| optionalSanitizer.js:26:16:26:32 | document.location |
| optionalSanitizer.js:26:16:26:32 | document.location |
| optionalSanitizer.js:26:16:26:39 | documen ... .search |
| optionalSanitizer.js:31:7:31:23 | tainted2 |
| optionalSanitizer.js:31:18:31:23 | target |
| optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:34:5:34:36 | tainted2 |
| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
| optionalSanitizer.js:34:28:34:35 | tainted2 |
| optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:38:7:38:23 | tainted3 |
| optionalSanitizer.js:38:18:38:23 | target |
| optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:41:5:41:36 | tainted3 |
| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
| optionalSanitizer.js:41:28:41:35 | tainted3 |
| optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
| optionalSanitizer.js:45:41:45:46 | target |
| optionalSanitizer.js:45:51:45:56 | target |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") |
| react-native.js:7:17:7:33 | req.param("code") |
@@ -53,6 +94,11 @@ nodes
| stored-xss.js:5:20:5:52 | session ... ssion') |
| stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:10:9:10:44 | href |
| stored-xss.js:10:16:10:44 | localSt ... local') |
| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| stored-xss.js:12:35:12:38 | href |
| string-manipulations.js:3:16:3:32 | document.location |
| string-manipulations.js:3:16:3:32 | document.location |
| string-manipulations.js:3:16:3:32 | document.location |
@@ -417,6 +463,51 @@ edges
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:8:17:8:22 | target |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:15:9:15:14 | target |
| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
| optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:2:7:2:39 | target |
| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:8:17:8:22 | target | optionalSanitizer.js:8:7:8:22 | tainted |
| optionalSanitizer.js:15:9:15:14 | target | optionalSanitizer.js:16:18:16:18 | x |
| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:31:18:31:23 | target |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:38:18:38:23 | target |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:41:45:46 | target |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:51:45:56 | target |
| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
| optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:26:7:26:39 | target |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:34:28:34:35 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:31:18:31:23 | target | optionalSanitizer.js:31:7:31:23 | tainted2 |
| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) | optionalSanitizer.js:34:5:34:36 | tainted2 |
| optionalSanitizer.js:34:28:34:35 | tainted2 | optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:41:28:41:35 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:38:18:38:23 | target | optionalSanitizer.js:38:7:38:23 | tainted3 |
| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | optionalSanitizer.js:41:5:41:36 | tainted3 |
| optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
@@ -431,6 +522,11 @@ edges
| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:10:16:10:44 | localSt ... local') |
| stored-xss.js:10:9:10:44 | href | stored-xss.js:12:35:12:38 | href |
| stored-xss.js:10:16:10:44 | localSt ... local') | stored-xss.js:10:9:10:44 | href |
| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location |
| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
@@ -728,10 +824,19 @@ edges
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
| jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
| optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
| optionalSanitizer.js:17:20:17:20 | x | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:17:20:17:20 | x | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
| optionalSanitizer.js:32:18:32:25 | tainted2 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:32:18:32:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
| optionalSanitizer.js:36:18:36:25 | tainted2 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:36:18:36:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
| optionalSanitizer.js:39:18:39:25 | tainted3 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:39:18:39:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
| optionalSanitizer.js:43:18:43:25 | tainted3 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:43:18:43:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
| optionalSanitizer.js:45:18:45:56 | sanitiz ... target | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:45:18:45:56 | sanitiz ... target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
| react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
| react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
| stored-xss.js:5:20:5:52 | session ... ssion') | stored-xss.js:2:39:2:55 | document.location | stored-xss.js:5:20:5:52 | session ... ssion') | Cross-site scripting vulnerability due to $@. | stored-xss.js:2:39:2:55 | document.location | user-provided value |
| stored-xss.js:8:20:8:48 | localSt ... local') | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:8:20:8:48 | localSt ... local') | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:51 | document.location | user-provided value |
| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:51 | document.location | user-provided value |
| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | Cross-site scripting vulnerability due to $@. | string-manipulations.js:3:16:3:32 | document.location | user-provided value |
| string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | Cross-site scripting vulnerability due to $@. | string-manipulations.js:4:16:4:32 | document.location | user-provided value |
| string-manipulations.js:5:16:5:47 | documen ... lueOf() | string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:47 | documen ... lueOf() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:5:16:5:32 | document.location | user-provided value |

96
javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
View File

@@ -36,6 +36,47 @@ nodes
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message |
| nodemailer.js:13:50:13:66 | req.query.message |
| optionalSanitizer.js:2:7:2:39 | target |
| optionalSanitizer.js:2:16:2:32 | document.location |
| optionalSanitizer.js:2:16:2:32 | document.location |
| optionalSanitizer.js:2:16:2:39 | documen ... .search |
| optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:8:7:8:22 | tainted |
| optionalSanitizer.js:8:17:8:22 | target |
| optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:15:9:15:14 | target |
| optionalSanitizer.js:16:18:16:18 | x |
| optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:26:7:26:39 | target |
| optionalSanitizer.js:26:16:26:32 | document.location |
| optionalSanitizer.js:26:16:26:32 | document.location |
| optionalSanitizer.js:26:16:26:39 | documen ... .search |
| optionalSanitizer.js:31:7:31:23 | tainted2 |
| optionalSanitizer.js:31:18:31:23 | target |
| optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:34:5:34:36 | tainted2 |
| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
| optionalSanitizer.js:34:28:34:35 | tainted2 |
| optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:38:7:38:23 | tainted3 |
| optionalSanitizer.js:38:18:38:23 | target |
| optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:41:5:41:36 | tainted3 |
| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
| optionalSanitizer.js:41:28:41:35 | tainted3 |
| optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
| optionalSanitizer.js:45:41:45:46 | target |
| optionalSanitizer.js:45:51:45:56 | target |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") |
| react-native.js:7:17:7:33 | req.param("code") |
@@ -53,6 +94,11 @@ nodes
| stored-xss.js:5:20:5:52 | session ... ssion') |
| stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:10:9:10:44 | href |
| stored-xss.js:10:16:10:44 | localSt ... local') |
| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| stored-xss.js:12:35:12:38 | href |
| string-manipulations.js:3:16:3:32 | document.location |
| string-manipulations.js:3:16:3:32 | document.location |
| string-manipulations.js:3:16:3:32 | document.location |
@@ -421,6 +467,51 @@ edges
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:8:17:8:22 | target |
| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:15:9:15:14 | target |
| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
| optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:2:7:2:39 | target |
| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
| optionalSanitizer.js:8:17:8:22 | target | optionalSanitizer.js:8:7:8:22 | tainted |
| optionalSanitizer.js:15:9:15:14 | target | optionalSanitizer.js:16:18:16:18 | x |
| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:31:18:31:23 | target |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:38:18:38:23 | target |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:41:45:46 | target |
| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:51:45:56 | target |
| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
| optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:26:7:26:39 | target |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:34:28:34:35 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:31:18:31:23 | target | optionalSanitizer.js:31:7:31:23 | tainted2 |
| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) | optionalSanitizer.js:34:5:34:36 | tainted2 |
| optionalSanitizer.js:34:28:34:35 | tainted2 | optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:41:28:41:35 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:38:18:38:23 | target | optionalSanitizer.js:38:7:38:23 | tainted3 |
| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | optionalSanitizer.js:41:5:41:36 | tainted3 |
| optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
@@ -435,6 +526,11 @@ edges
| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:10:16:10:44 | localSt ... local') |
| stored-xss.js:10:9:10:44 | href | stored-xss.js:12:35:12:38 | href |
| stored-xss.js:10:16:10:44 | localSt ... local') | stored-xss.js:10:9:10:44 | href |
| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location |
| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |

46
javascript/ql/test/query-tests/Security/CWE-079/optionalSanitizer.js Normal file
View File

@@ -0,0 +1,46 @@
function test() {
var target = document.location.search
$('myId').html(sanitize ? DOMPurify.sanitize(target) : target); // OK
$('myId').html(target); // NOT OK
var tainted = target;
$('myId').html(tainted); // NOT OK
if (sanitize) {
tainted = DOMPurify.sanitize(tainted);
}
$('myId').html(tainted); // OK
inner(target);
function inner(x) {
$('myId').html(x); // NOT OK
if (sanitize) {
x = DOMPurify.sanitize(x);
}
$('myId').html(x); // OK
}
}
function badSanitizer() {
var target = document.location.search
function sanitizeBad(x) {
return x; // No sanitization;
}
var tainted2 = target;
$('myId').html(tainted2); // NOT OK
if (sanitize) {
tainted2 = sanitizeBad(tainted2);
}
$('myId').html(tainted2); // NOT OK
var tainted3 = target;
$('myId').html(tainted3); // NOT OK
if (sanitize) {
tainted3 = sanitizeBad(tainted3);
}
$('myId').html(tainted3); // NOT OK
$('myId').html(sanitize ? sanitizeBad(target) : target); // NOT OK
}

Some files were not shown because too many files have changed in this diff Show More