github
diff --git a/‎…ental/Security/CWE-117/LogInjection.help‎ ‎…/src/Security/CWE-117/LogInjection.qhelp‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.help renamed to javascript/ql/src/Security/CWE-117/LogInjection.qhelp b/‎…ental/Security/CWE-117/LogInjection.help‎ ‎…/src/Security/CWE-117/LogInjection.qhelp‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.help renamed to javascript/ql/src/Security/CWE-117/LogInjection.qhelp
diff --git a/‎…imental/Security/CWE-117/LogInjection.ql‎ ‎…/ql/src/Security/CWE-117/LogInjection.ql‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.ql renamed to javascript/ql/src/Security/CWE-117/LogInjection.ql
Lines changed: 2 additions & 2 deletions b/‎…imental/Security/CWE-117/LogInjection.ql‎ ‎…/ql/src/Security/CWE-117/LogInjection.ql‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.ql renamed to javascript/ql/src/Security/CWE-117/LogInjection.ql
Lines changed: 2 additions & 2 deletions
diff --git a/‎javascript/ql/src/Security/CWE-117/examples/logInjectionBad.js‎
Lines changed: 10 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-117/examples/logInjectionBad.js‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎javascript/ql/src/Security/CWE-117/examples/logInjectionGood.js‎
Lines changed: 13 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-117/examples/logInjectionGood.js‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionBad.js‎
Lines changed: 0 additions & 68 deletions b/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionBad.js‎
Lines changed: 0 additions & 68 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionGood.js‎
Lines changed: 0 additions & 51 deletions b/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionGood.js‎
Lines changed: 0 additions & 51 deletions
diff --git a/‎…mental/Security/CWE-117/LogInjection.qll‎ ‎…cript/security/dataflow/LogInjection.qll‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.qll renamed to javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll b/‎…mental/Security/CWE-117/LogInjection.qll‎ ‎…cript/security/dataflow/LogInjection.qll‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.qll renamed to javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll
@@ -4,15 +4,15 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @precision high
+ * @precision medium
  * @id js/log-injection
  * @tags security
  *       external/cwe/cwe-117
  */
 
 import javascript
 import DataFlow::PathGraph
-import LogInjection::LogInjection
+import semmle.javascript.security.dataflow.LogInjection::LogInjection
 
 from LogInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 
@@ -0,0 +1,10 @@
+const http = require('http');
+const url = require('url');
+
+const server = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+
+    console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is
+})
+
+server.listen(3000, '127.0.0.1', () => {});
@@ -0,0 +1,13 @@
+const http = require('http');
+const url = require('url');
+
+const server = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+
+    // GOOD: remove newlines from user controlled input before logging
+    let username = q.query.username.replace(/\n|\r/g, "");
+
+    console.info(`[INFO] User: ${username}`);
+});
+
+server.listen(3000, '127.0.0.1', () => {});