From fcfab5238e4bcde13202e6dc7aa80a20609f9907 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Wed, 4 Oct 2023 21:21:39 +0200
Subject: [PATCH] JS: Port CodeInjection

---
 .../security/dataflow/CodeInjectionQuery.qll  |  28 +-
 .../ql/src/Security/CWE-094/CodeInjection.ql  |   6 +-
 .../Templating/CodeInjection.expected         | 151 +++----
 .../CodeInjection/CodeInjection.expected      | 384 +++++-------------
 4 files changed, 165 insertions(+), 404 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
index ea57dd73588..811a9575504 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
@@ -13,7 +13,28 @@ import CodeInjectionCustomizations::CodeInjection
 /**
  * A taint-tracking configuration for reasoning about code injection vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+module CodeInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // HTML sanitizers are insufficient protection against code injection
+    node1 = node2.(HtmlSanitizerCall).getInput()
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about code injection vulnerabilities.
+ */
+module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
+
+/**
+ * DEPRRECATED. Use the `CodeInjectionFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CodeInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -25,8 +46,7 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
-    // HTML sanitizers are insufficient protection against code injection
-    src = trg.(HtmlSanitizerCall).getInput()
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    CodeInjectionConfig::isAdditionalFlowStep(node1, node2)
   }
 }
diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
index a4ed71e2949..c08f75bb673 100644
--- a/javascript/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
@@ -16,9 +16,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.CodeInjectionQuery
-import DataFlow::PathGraph
+import CodeInjectionFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+where CodeInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
   source.getNode(), "user-provided value"
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected
index 48b2111a4a2..de308fdabdf 100644
--- a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected
+++ b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected
@@ -1,140 +1,83 @@
-nodes
-| app.js:15:30:15:58 | req.que ... tedCode |
-| app.js:15:30:15:58 | req.que ... tedCode |
-| app.js:17:25:17:48 | req.que ... shSink1 |
-| app.js:17:25:17:48 | req.que ... shSink1 |
-| app.js:19:35:19:68 | req.que ... rString |
-| app.js:19:35:19:68 | req.que ... rString |
-| app.js:34:30:34:58 | req.que ... tedCode |
-| app.js:34:30:34:58 | req.que ... tedCode |
-| app.js:36:25:36:48 | req.que ... shSink1 |
-| app.js:36:25:36:48 | req.que ... shSink1 |
-| app.js:38:35:38:68 | req.que ... rString |
-| app.js:38:35:38:68 | req.que ... rString |
-| app.js:53:30:53:58 | req.que ... tedCode |
-| app.js:53:30:53:58 | req.que ... tedCode |
-| app.js:54:33:54:64 | req.que ... CodeRaw |
-| app.js:54:33:54:64 | req.que ... CodeRaw |
-| app.js:56:25:56:48 | req.que ... shSink1 |
-| app.js:56:25:56:48 | req.que ... shSink1 |
-| app.js:58:35:58:68 | req.que ... rString |
-| app.js:58:35:58:68 | req.que ... rString |
-| app.js:59:38:59:74 | req.que ... ringRaw |
-| app.js:59:38:59:74 | req.que ... ringRaw |
-| app.js:65:22:65:42 | req.que ... pedHtml |
-| app.js:65:22:65:42 | req.que ... pedHtml |
-| app.js:66:18:66:34 | req.query.rawHtml |
-| app.js:66:18:66:34 | req.query.rawHtml |
-| views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
-| views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
-| views/angularjs_include.ejs:2:9:2:19 | escapedHtml |
-| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
-| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
-| views/angularjs_include.ejs:3:9:3:15 | rawHtml |
-| views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
-| views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
-| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml |
-| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
-| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
-| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
-| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
-| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
-| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
-| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
-| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
-| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
-| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
-| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
-| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
-| views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
-| views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
-| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode |
-| views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
-| views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
-| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 |
-| views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
-| views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
-| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString |
-| views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
-| views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
-| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode |
-| views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
-| views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
-| views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw |
-| views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe |
-| views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:17:22:17:35 | backslashSink1 |
-| views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
-| views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
-| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString |
-| views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
-| views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
-| views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
-| views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe |
 edges
 | app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
-| app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
-| app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
 | app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
 | app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
-| app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
-| app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode |
 | app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode |
 | app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 |
-| app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 |
-| app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString |
 | app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString |
 | app.js:53:30:53:58 | req.que ... tedCode | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode |
-| app.js:53:30:53:58 | req.que ... tedCode | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode |
-| app.js:54:33:54:64 | req.que ... CodeRaw | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw |
 | app.js:54:33:54:64 | req.que ... CodeRaw | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw |
 | app.js:56:25:56:48 | req.que ... shSink1 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 |
-| app.js:56:25:56:48 | req.que ... shSink1 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 |
-| app.js:58:35:58:68 | req.que ... rString | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString |
 | app.js:58:35:58:68 | req.que ... rString | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString |
 | app.js:59:38:59:74 | req.que ... ringRaw | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
-| app.js:59:38:59:74 | req.que ... ringRaw | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
-| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:9:2:19 | escapedHtml |
 | app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:9:2:19 | escapedHtml |
 | app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml |
-| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml |
-| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:9:3:15 | rawHtml |
 | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:9:3:15 | rawHtml |
 | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
-| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
-| views/angularjs_include.ejs:2:9:2:19 | escapedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
 | views/angularjs_include.ejs:2:9:2:19 | escapedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
 | views/angularjs_include.ejs:3:9:3:15 | rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
-| views/angularjs_include.ejs:3:9:3:15 | rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
-| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
 | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
 | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
-| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
-| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
 | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
-| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
-| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
 | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
 | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
-| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
-| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
 | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
-| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
-| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
 | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
 | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw | views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe |
 | views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe | views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
-| views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe | views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 | views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:17:22:17:35 | backslashSink1 | views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
 | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
 | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw | views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe |
 | views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe | views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
-| views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe | views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
+nodes
+| app.js:15:30:15:58 | req.que ... tedCode | semmle.label | req.que ... tedCode |
+| app.js:17:25:17:48 | req.que ... shSink1 | semmle.label | req.que ... shSink1 |
+| app.js:19:35:19:68 | req.que ... rString | semmle.label | req.que ... rString |
+| app.js:34:30:34:58 | req.que ... tedCode | semmle.label | req.que ... tedCode |
+| app.js:36:25:36:48 | req.que ... shSink1 | semmle.label | req.que ... shSink1 |
+| app.js:38:35:38:68 | req.que ... rString | semmle.label | req.que ... rString |
+| app.js:53:30:53:58 | req.que ... tedCode | semmle.label | req.que ... tedCode |
+| app.js:54:33:54:64 | req.que ... CodeRaw | semmle.label | req.que ... CodeRaw |
+| app.js:56:25:56:48 | req.que ... shSink1 | semmle.label | req.que ... shSink1 |
+| app.js:58:35:58:68 | req.que ... rString | semmle.label | req.que ... rString |
+| app.js:59:38:59:74 | req.que ... ringRaw | semmle.label | req.que ... ringRaw |
+| app.js:65:22:65:42 | req.que ... pedHtml | semmle.label | req.que ... pedHtml |
+| app.js:66:18:66:34 | req.query.rawHtml | semmle.label | req.query.rawHtml |
+| views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> | semmle.label | <%= escapedHtml %> |
+| views/angularjs_include.ejs:2:9:2:19 | escapedHtml | semmle.label | escapedHtml |
+| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | semmle.label | <%- rawHtml %> |
+| views/angularjs_include.ejs:3:9:3:15 | rawHtml | semmle.label | rawHtml |
+| views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> | semmle.label | <%= escapedHtml %> |
+| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | semmle.label | escapedHtml |
+| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | semmle.label | <%- rawHtml %> |
+| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | semmle.label | rawHtml |
+| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> | semmle.label | <%= dataInGeneratedCode %> |
+| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | semmle.label | dataInGeneratedCode |
+| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> | semmle.label | <%= backslashSink1 %> |
+| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | semmle.label | backslashSink1 |
+| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> | semmle.label | <%= dataInEventHandlerString %> |
+| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | semmle.label | dataInE ... rString |
+| views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} | semmle.label | {{ dataInGeneratedCode }} |
+| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | semmle.label | dataInGeneratedCode |
+| views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} | semmle.label | {{ backslashSink1 }} |
+| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | semmle.label | backslashSink1 |
+| views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} | semmle.label | {{ dataInEventHandlerString }} |
+| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | semmle.label | dataInE ... rString |
+| views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} | semmle.label | {{ dataInGeneratedCode }} |
+| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | semmle.label | dataInGeneratedCode |
+| views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} | semmle.label | {{ dataInGeneratedCodeRaw \| safe }} |
+| views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw | semmle.label | dataInG ... CodeRaw |
+| views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe | semmle.label | dataInG ...  \| safe |
+| views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} | semmle.label | {{ backslashSink1 }} |
+| views/njk_sinks.njk:17:22:17:35 | backslashSink1 | semmle.label | backslashSink1 |
+| views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} | semmle.label | {{ dataInEventHandlerString }} |
+| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | semmle.label | dataInE ... rString |
+| views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} | semmle.label | {{ dataInEventHandlerStringRaw \| safe }} |
+| views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw | semmle.label | dataInE ... ringRaw |
+| views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe | semmle.label | dataInE ...  \| safe |
+subpaths
 #select
 | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> | app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> | This AngularJS template, which may contain code, depends on a $@. | app.js:65:22:65:42 | req.que ... pedHtml | user-provided value |
 | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | This AngularJS template, which may contain code, depends on a $@. | app.js:66:18:66:34 | req.query.rawHtml | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
index 1193c5e33bc..10d2e8e6f18 100644
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -1,335 +1,133 @@
-nodes
-| NoSQLCodeInjection.js:18:24:18:31 | req.body |
-| NoSQLCodeInjection.js:18:24:18:31 | req.body |
-| NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
-| NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
-| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
-| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
-| NoSQLCodeInjection.js:19:36:19:43 | req.body |
-| NoSQLCodeInjection.js:19:36:19:43 | req.body |
-| NoSQLCodeInjection.js:19:36:19:48 | req.body.name |
-| NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
-| NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
-| NoSQLCodeInjection.js:22:36:22:43 | req.body |
-| NoSQLCodeInjection.js:22:36:22:43 | req.body |
-| NoSQLCodeInjection.js:22:36:22:48 | req.body.name |
-| actions.js:4:10:4:50 | github. ... message |
-| actions.js:4:10:4:50 | github. ... message |
-| actions.js:4:10:4:50 | github. ... message |
-| angularjs.js:10:22:10:36 | location.search |
-| angularjs.js:10:22:10:36 | location.search |
-| angularjs.js:10:22:10:36 | location.search |
-| angularjs.js:13:23:13:37 | location.search |
-| angularjs.js:13:23:13:37 | location.search |
-| angularjs.js:13:23:13:37 | location.search |
-| angularjs.js:16:28:16:42 | location.search |
-| angularjs.js:16:28:16:42 | location.search |
-| angularjs.js:16:28:16:42 | location.search |
-| angularjs.js:19:22:19:36 | location.search |
-| angularjs.js:19:22:19:36 | location.search |
-| angularjs.js:19:22:19:36 | location.search |
-| angularjs.js:22:27:22:41 | location.search |
-| angularjs.js:22:27:22:41 | location.search |
-| angularjs.js:22:27:22:41 | location.search |
-| angularjs.js:25:23:25:37 | location.search |
-| angularjs.js:25:23:25:37 | location.search |
-| angularjs.js:25:23:25:37 | location.search |
-| angularjs.js:28:33:28:47 | location.search |
-| angularjs.js:28:33:28:47 | location.search |
-| angularjs.js:28:33:28:47 | location.search |
-| angularjs.js:31:28:31:42 | location.search |
-| angularjs.js:31:28:31:42 | location.search |
-| angularjs.js:31:28:31:42 | location.search |
-| angularjs.js:34:18:34:32 | location.search |
-| angularjs.js:34:18:34:32 | location.search |
-| angularjs.js:34:18:34:32 | location.search |
-| angularjs.js:40:18:40:32 | location.search |
-| angularjs.js:40:18:40:32 | location.search |
-| angularjs.js:40:18:40:32 | location.search |
-| angularjs.js:44:17:44:31 | location.search |
-| angularjs.js:44:17:44:31 | location.search |
-| angularjs.js:44:17:44:31 | location.search |
-| angularjs.js:47:16:47:30 | location.search |
-| angularjs.js:47:16:47:30 | location.search |
-| angularjs.js:47:16:47:30 | location.search |
-| angularjs.js:50:22:50:36 | location.search |
-| angularjs.js:50:22:50:36 | location.search |
-| angularjs.js:50:22:50:36 | location.search |
-| angularjs.js:53:32:53:46 | location.search |
-| angularjs.js:53:32:53:46 | location.search |
-| angularjs.js:53:32:53:46 | location.search |
-| express.js:7:24:7:69 | "return ...  + "];" |
-| express.js:7:24:7:69 | "return ...  + "];" |
-| express.js:7:44:7:62 | req.param("wobble") |
-| express.js:7:44:7:62 | req.param("wobble") |
-| express.js:9:34:9:79 | "return ...  + "];" |
-| express.js:9:34:9:79 | "return ...  + "];" |
-| express.js:9:54:9:72 | req.param("wobble") |
-| express.js:9:54:9:72 | req.param("wobble") |
-| express.js:12:8:12:53 | "return ...  + "];" |
-| express.js:12:8:12:53 | "return ...  + "];" |
-| express.js:12:28:12:46 | req.param("wobble") |
-| express.js:12:28:12:46 | req.param("wobble") |
-| express.js:15:22:15:54 | req.par ... ction") |
-| express.js:15:22:15:54 | req.par ... ction") |
-| express.js:15:22:15:54 | req.par ... ction") |
-| express.js:17:30:17:53 | req.par ... cript") |
-| express.js:17:30:17:53 | req.par ... cript") |
-| express.js:17:30:17:53 | req.par ... cript") |
-| express.js:19:37:19:70 | req.par ... odule") |
-| express.js:19:37:19:70 | req.par ... odule") |
-| express.js:19:37:19:70 | req.par ... odule") |
-| express.js:21:19:21:48 | req.par ... ntext") |
-| express.js:21:19:21:48 | req.par ... ntext") |
-| express.js:21:19:21:48 | req.par ... ntext") |
-| express.js:26:9:26:35 | taint |
-| express.js:26:17:26:35 | req.param("wobble") |
-| express.js:26:17:26:35 | req.param("wobble") |
-| express.js:27:34:27:38 | taint |
-| express.js:27:34:27:38 | taint |
-| express.js:34:9:34:35 | taint |
-| express.js:34:17:34:35 | req.param("wobble") |
-| express.js:34:17:34:35 | req.param("wobble") |
-| express.js:43:15:43:19 | taint |
-| express.js:43:15:43:19 | taint |
-| express.js:49:30:49:32 | msg |
-| express.js:49:30:49:32 | msg |
-| express.js:50:10:50:12 | msg |
-| express.js:50:10:50:12 | msg |
-| module.js:9:16:9:29 | req.query.code |
-| module.js:9:16:9:29 | req.query.code |
-| module.js:9:16:9:29 | req.query.code |
-| module.js:11:17:11:30 | req.query.code |
-| module.js:11:17:11:30 | req.query.code |
-| module.js:11:17:11:30 | req.query.code |
-| react-native.js:7:7:7:33 | tainted |
-| react-native.js:7:17:7:33 | req.param("code") |
-| react-native.js:7:17:7:33 | req.param("code") |
-| react-native.js:8:32:8:38 | tainted |
-| react-native.js:8:32:8:38 | tainted |
-| react-native.js:10:23:10:29 | tainted |
-| react-native.js:10:23:10:29 | tainted |
-| react.js:10:56:10:77 | documen ... on.hash |
-| react.js:10:56:10:77 | documen ... on.hash |
-| react.js:10:56:10:77 | documen ... on.hash |
-| template-sinks.js:18:9:18:31 | tainted |
-| template-sinks.js:18:19:18:31 | req.query.foo |
-| template-sinks.js:18:19:18:31 | req.query.foo |
-| template-sinks.js:20:17:20:23 | tainted |
-| template-sinks.js:20:17:20:23 | tainted |
-| template-sinks.js:21:16:21:22 | tainted |
-| template-sinks.js:21:16:21:22 | tainted |
-| template-sinks.js:22:18:22:24 | tainted |
-| template-sinks.js:22:18:22:24 | tainted |
-| template-sinks.js:23:17:23:23 | tainted |
-| template-sinks.js:23:17:23:23 | tainted |
-| template-sinks.js:24:18:24:24 | tainted |
-| template-sinks.js:24:18:24:24 | tainted |
-| template-sinks.js:25:16:25:22 | tainted |
-| template-sinks.js:25:16:25:22 | tainted |
-| template-sinks.js:26:27:26:33 | tainted |
-| template-sinks.js:26:27:26:33 | tainted |
-| template-sinks.js:27:21:27:27 | tainted |
-| template-sinks.js:27:21:27:27 | tainted |
-| template-sinks.js:28:17:28:23 | tainted |
-| template-sinks.js:28:17:28:23 | tainted |
-| template-sinks.js:29:24:29:30 | tainted |
-| template-sinks.js:29:24:29:30 | tainted |
-| template-sinks.js:30:21:30:27 | tainted |
-| template-sinks.js:30:21:30:27 | tainted |
-| template-sinks.js:31:19:31:25 | tainted |
-| template-sinks.js:31:19:31:25 | tainted |
-| template-sinks.js:32:16:32:22 | tainted |
-| template-sinks.js:32:16:32:22 | tainted |
-| template-sinks.js:33:17:33:23 | tainted |
-| template-sinks.js:33:17:33:23 | tainted |
-| tst.js:2:6:2:27 | documen ... on.href |
-| tst.js:2:6:2:27 | documen ... on.href |
-| tst.js:2:6:2:83 | documen ... t=")+8) |
-| tst.js:2:6:2:83 | documen ... t=")+8) |
-| tst.js:5:12:5:33 | documen ... on.hash |
-| tst.js:5:12:5:33 | documen ... on.hash |
-| tst.js:5:12:5:33 | documen ... on.hash |
-| tst.js:14:10:14:33 | documen ... .search |
-| tst.js:14:10:14:33 | documen ... .search |
-| tst.js:14:10:14:74 | documen ... , "$1") |
-| tst.js:14:10:14:74 | documen ... , "$1") |
-| tst.js:17:21:17:42 | documen ... on.hash |
-| tst.js:17:21:17:42 | documen ... on.hash |
-| tst.js:17:21:17:42 | documen ... on.hash |
-| tst.js:20:30:20:51 | documen ... on.hash |
-| tst.js:20:30:20:51 | documen ... on.hash |
-| tst.js:20:30:20:51 | documen ... on.hash |
-| tst.js:23:6:23:46 | atob(do ... ing(1)) |
-| tst.js:23:6:23:46 | atob(do ... ing(1)) |
-| tst.js:23:11:23:32 | documen ... on.hash |
-| tst.js:23:11:23:32 | documen ... on.hash |
-| tst.js:23:11:23:45 | documen ... ring(1) |
-| tst.js:26:26:26:40 | location.search |
-| tst.js:26:26:26:40 | location.search |
-| tst.js:26:26:26:53 | locatio ... ring(1) |
-| tst.js:26:26:26:53 | locatio ... ring(1) |
-| tst.js:29:9:29:82 | source |
-| tst.js:29:18:29:41 | documen ... .search |
-| tst.js:29:18:29:41 | documen ... .search |
-| tst.js:29:18:29:82 | documen ... , "$1") |
-| tst.js:31:18:31:23 | source |
-| tst.js:31:18:31:23 | source |
-| tst.js:33:14:33:19 | source |
-| tst.js:33:14:33:19 | source |
-| tst.js:35:28:35:33 | source |
-| tst.js:35:28:35:33 | source |
-| tst.js:37:33:37:38 | source |
-| tst.js:37:33:37:38 | source |
-| webix/webix.html:3:16:3:37 | documen ... on.hash |
-| webix/webix.html:3:16:3:37 | documen ... on.hash |
-| webix/webix.html:3:16:3:37 | documen ... on.hash |
-| webix/webix.html:4:26:4:47 | documen ... on.hash |
-| webix/webix.html:4:26:4:47 | documen ... on.hash |
-| webix/webix.html:4:26:4:47 | documen ... on.hash |
-| webix/webix.html:5:47:5:68 | documen ... on.hash |
-| webix/webix.html:5:47:5:68 | documen ... on.hash |
-| webix/webix.html:5:47:5:68 | documen ... on.hash |
-| webix/webix.js:3:12:3:33 | documen ... on.hash |
-| webix/webix.js:3:12:3:33 | documen ... on.hash |
-| webix/webix.js:3:12:3:33 | documen ... on.hash |
-| webix/webix.js:4:22:4:43 | documen ... on.hash |
-| webix/webix.js:4:22:4:43 | documen ... on.hash |
-| webix/webix.js:4:22:4:43 | documen ... on.hash |
-| webix/webix.js:5:43:5:64 | documen ... on.hash |
-| webix/webix.js:5:43:5:64 | documen ... on.hash |
-| webix/webix.js:5:43:5:64 | documen ... on.hash |
 edges
 | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
-| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
-| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
-| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
-| NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:36:19:48 | req.body.name |
-| NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:36:19:48 | req.body.name |
-| NoSQLCodeInjection.js:19:36:19:48 | req.body.name | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
-| NoSQLCodeInjection.js:19:36:19:48 | req.body.name | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
-| NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name |
-| NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name |
-| NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
-| NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
-| actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message |
-| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search |
-| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search |
-| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search |
-| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search |
-| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search |
-| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search |
-| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search |
-| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search |
-| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search |
-| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search |
-| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search |
-| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search |
-| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search |
-| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search |
-| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" |
-| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" |
-| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" |
+| NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
+| NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" |
 | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ...  + "];" |
-| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ...  + "];" |
-| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ...  + "];" |
-| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ...  + "];" |
 | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
-| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
-| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
-| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
-| express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") |
-| express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") |
-| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") |
-| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") |
-| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint |
 | express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint |
 | express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
-| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
-| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
 | express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
 | express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
-| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
 | express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
-| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
-| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
-| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
-| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code |
-| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code |
-| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |
-| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
-| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
-| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:20:17:20:23 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:20:17:20:23 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:21:16:21:22 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:21:16:21:22 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:22:18:22:24 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:22:18:22:24 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:23:17:23:23 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:23:17:23:23 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:24:18:24:24 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:24:18:24:24 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:25:16:25:22 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:25:16:25:22 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:26:27:26:33 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:26:27:26:33 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:27:21:27:27 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:27:21:27:27 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:28:17:28:23 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:28:17:28:23 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:29:24:29:30 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:29:24:29:30 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:30:21:30:27 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:30:21:30:27 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:31:19:31:25 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:31:19:31:25 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted |
-| template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted |
 | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
-| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
-| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
-| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
-| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash |
 | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
-| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
-| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
-| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
-| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash |
-| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash |
-| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
 | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
 | tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
-| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
-| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
-| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
-| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
 | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
 | tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
-| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
-| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
 | tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
 | tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
-| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
 | tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source |
-| tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source |
-| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
 | tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
 | tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source |
-| webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash |
-| webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash |
-| webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash |
-| webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash |
-| webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash |
-| webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash |
+nodes
+| NoSQLCodeInjection.js:18:24:18:31 | req.body | semmle.label | req.body |
+| NoSQLCodeInjection.js:18:24:18:37 | req.body.query | semmle.label | req.body.query |
+| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | semmle.label | "name = ... dy.name |
+| NoSQLCodeInjection.js:19:36:19:43 | req.body | semmle.label | req.body |
+| NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | semmle.label | "name = ... dy.name |
+| NoSQLCodeInjection.js:22:36:22:43 | req.body | semmle.label | req.body |
+| actions.js:4:10:4:50 | github. ... message | semmle.label | github. ... message |
+| angularjs.js:10:22:10:36 | location.search | semmle.label | location.search |
+| angularjs.js:13:23:13:37 | location.search | semmle.label | location.search |
+| angularjs.js:16:28:16:42 | location.search | semmle.label | location.search |
+| angularjs.js:19:22:19:36 | location.search | semmle.label | location.search |
+| angularjs.js:22:27:22:41 | location.search | semmle.label | location.search |
+| angularjs.js:25:23:25:37 | location.search | semmle.label | location.search |
+| angularjs.js:28:33:28:47 | location.search | semmle.label | location.search |
+| angularjs.js:31:28:31:42 | location.search | semmle.label | location.search |
+| angularjs.js:34:18:34:32 | location.search | semmle.label | location.search |
+| angularjs.js:40:18:40:32 | location.search | semmle.label | location.search |
+| angularjs.js:44:17:44:31 | location.search | semmle.label | location.search |
+| angularjs.js:47:16:47:30 | location.search | semmle.label | location.search |
+| angularjs.js:50:22:50:36 | location.search | semmle.label | location.search |
+| angularjs.js:53:32:53:46 | location.search | semmle.label | location.search |
+| express.js:7:24:7:69 | "return ...  + "];" | semmle.label | "return ...  + "];" |
+| express.js:7:44:7:62 | req.param("wobble") | semmle.label | req.param("wobble") |
+| express.js:9:34:9:79 | "return ...  + "];" | semmle.label | "return ...  + "];" |
+| express.js:9:54:9:72 | req.param("wobble") | semmle.label | req.param("wobble") |
+| express.js:12:8:12:53 | "return ...  + "];" | semmle.label | "return ...  + "];" |
+| express.js:12:28:12:46 | req.param("wobble") | semmle.label | req.param("wobble") |
+| express.js:15:22:15:54 | req.par ... ction") | semmle.label | req.par ... ction") |
+| express.js:17:30:17:53 | req.par ... cript") | semmle.label | req.par ... cript") |
+| express.js:19:37:19:70 | req.par ... odule") | semmle.label | req.par ... odule") |
+| express.js:21:19:21:48 | req.par ... ntext") | semmle.label | req.par ... ntext") |
+| express.js:26:9:26:35 | taint | semmle.label | taint |
+| express.js:26:17:26:35 | req.param("wobble") | semmle.label | req.param("wobble") |
+| express.js:27:34:27:38 | taint | semmle.label | taint |
+| express.js:34:9:34:35 | taint | semmle.label | taint |
+| express.js:34:17:34:35 | req.param("wobble") | semmle.label | req.param("wobble") |
+| express.js:43:15:43:19 | taint | semmle.label | taint |
+| express.js:49:30:49:32 | msg | semmle.label | msg |
+| express.js:50:10:50:12 | msg | semmle.label | msg |
+| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
+| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
+| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |
+| react-native.js:7:17:7:33 | req.param("code") | semmle.label | req.param("code") |
+| react-native.js:8:32:8:38 | tainted | semmle.label | tainted |
+| react-native.js:10:23:10:29 | tainted | semmle.label | tainted |
+| react.js:10:56:10:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| template-sinks.js:18:9:18:31 | tainted | semmle.label | tainted |
+| template-sinks.js:18:19:18:31 | req.query.foo | semmle.label | req.query.foo |
+| template-sinks.js:20:17:20:23 | tainted | semmle.label | tainted |
+| template-sinks.js:21:16:21:22 | tainted | semmle.label | tainted |
+| template-sinks.js:22:18:22:24 | tainted | semmle.label | tainted |
+| template-sinks.js:23:17:23:23 | tainted | semmle.label | tainted |
+| template-sinks.js:24:18:24:24 | tainted | semmle.label | tainted |
+| template-sinks.js:25:16:25:22 | tainted | semmle.label | tainted |
+| template-sinks.js:26:27:26:33 | tainted | semmle.label | tainted |
+| template-sinks.js:27:21:27:27 | tainted | semmle.label | tainted |
+| template-sinks.js:28:17:28:23 | tainted | semmle.label | tainted |
+| template-sinks.js:29:24:29:30 | tainted | semmle.label | tainted |
+| template-sinks.js:30:21:30:27 | tainted | semmle.label | tainted |
+| template-sinks.js:31:19:31:25 | tainted | semmle.label | tainted |
+| template-sinks.js:32:16:32:22 | tainted | semmle.label | tainted |
+| template-sinks.js:33:17:33:23 | tainted | semmle.label | tainted |
+| tst.js:2:6:2:27 | documen ... on.href | semmle.label | documen ... on.href |
+| tst.js:2:6:2:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) |
+| tst.js:5:12:5:33 | documen ... on.hash | semmle.label | documen ... on.hash |
+| tst.js:14:10:14:33 | documen ... .search | semmle.label | documen ... .search |
+| tst.js:14:10:14:74 | documen ... , "$1") | semmle.label | documen ... , "$1") |
+| tst.js:17:21:17:42 | documen ... on.hash | semmle.label | documen ... on.hash |
+| tst.js:20:30:20:51 | documen ... on.hash | semmle.label | documen ... on.hash |
+| tst.js:23:6:23:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) |
+| tst.js:23:11:23:32 | documen ... on.hash | semmle.label | documen ... on.hash |
+| tst.js:23:11:23:45 | documen ... ring(1) | semmle.label | documen ... ring(1) |
+| tst.js:26:26:26:40 | location.search | semmle.label | location.search |
+| tst.js:26:26:26:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) |
+| tst.js:29:9:29:82 | source | semmle.label | source |
+| tst.js:29:18:29:41 | documen ... .search | semmle.label | documen ... .search |
+| tst.js:29:18:29:82 | documen ... , "$1") | semmle.label | documen ... , "$1") |
+| tst.js:31:18:31:23 | source | semmle.label | source |
+| tst.js:33:14:33:19 | source | semmle.label | source |
+| tst.js:35:28:35:33 | source | semmle.label | source |
+| tst.js:37:33:37:38 | source | semmle.label | source |
+| webix/webix.html:3:16:3:37 | documen ... on.hash | semmle.label | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash | semmle.label | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash | semmle.label | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash | semmle.label | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash | semmle.label | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash | semmle.label | documen ... on.hash |
+subpaths
 #select
 | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | This code execution depends on a $@. | NoSQLCodeInjection.js:18:24:18:31 | req.body | user-provided value |
 | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value |