Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9221b62

Browse files
author
Max Schaefer
committed
JavaScript: Update expectd test output for security path queries to include nodes and edges query predicates.
1 parent d57b5d9 commit 9221b62

30 files changed

Lines changed: 2450 additions & 408 deletions

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected

Lines changed: 191 additions & 29 deletions
Large diffs are not rendered by default.

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

Lines changed: 76 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,76 @@
1-
| child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
2-
| child_process-test.js:18:17:18:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
3-
| child_process-test.js:19:17:19:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
4-
| child_process-test.js:20:21:20:23 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
5-
| child_process-test.js:21:14:21:16 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
6-
| child_process-test.js:22:18:22:20 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
7-
| child_process-test.js:23:13:23:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
8-
| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
9-
| child_process-test.js:39:5:39:31 | cp.spaw ... cmd ]) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
10-
| child_process-test.js:44:5:44:34 | cp.exec ... , args) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
11-
| child_process-test.js:50:3:50:21 | cp.spawn(cmd, args) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
1+
nodes
2+
| child_process-test.js:6:9:6:49 | cmd |
3+
| child_process-test.js:6:15:6:38 | url.par ... , true) |
4+
| child_process-test.js:6:15:6:44 | url.par ... ).query |
5+
| child_process-test.js:6:15:6:49 | url.par ... ry.path |
6+
| child_process-test.js:6:25:6:31 | req.url |
7+
| child_process-test.js:17:13:17:15 | cmd |
8+
| child_process-test.js:18:17:18:19 | cmd |
9+
| child_process-test.js:19:17:19:19 | cmd |
10+
| child_process-test.js:20:21:20:23 | cmd |
11+
| child_process-test.js:21:14:21:16 | cmd |
12+
| child_process-test.js:22:18:22:20 | cmd |
13+
| child_process-test.js:23:13:23:15 | cmd |
14+
| child_process-test.js:25:13:25:23 | "foo" + cmd |
15+
| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
16+
| child_process-test.js:25:21:25:23 | cmd |
17+
| child_process-test.js:36:7:36:20 | sh |
18+
| child_process-test.js:36:12:36:20 | 'cmd.exe' |
19+
| child_process-test.js:38:7:38:20 | sh |
20+
| child_process-test.js:38:12:38:20 | '/bin/sh' |
21+
| child_process-test.js:39:5:39:5 | sh |
22+
| child_process-test.js:39:14:39:15 | sh |
23+
| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
24+
| child_process-test.js:39:26:39:28 | cmd |
25+
| child_process-test.js:41:9:41:17 | args |
26+
| child_process-test.js:41:16:41:17 | [] |
27+
| child_process-test.js:43:15:43:17 | cmd |
28+
| child_process-test.js:44:17:44:27 | "/bin/bash" |
29+
| child_process-test.js:44:30:44:33 | args |
30+
| child_process-test.js:46:9:46:12 | "sh" |
31+
| child_process-test.js:46:15:46:18 | args |
32+
| child_process-test.js:49:14:49:16 | cmd |
33+
| child_process-test.js:49:19:49:22 | args |
34+
| child_process-test.js:50:12:50:14 | cmd |
35+
| child_process-test.js:50:17:50:20 | args |
36+
edges
37+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd |
38+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd |
39+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:19:17:19:19 | cmd |
40+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:20:21:20:23 | cmd |
41+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:21:14:21:16 | cmd |
42+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:22:18:22:20 | cmd |
43+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:23:13:23:15 | cmd |
44+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:25:21:25:23 | cmd |
45+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:39:26:39:28 | cmd |
46+
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:43:15:43:17 | cmd |
47+
| child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:44 | url.par ... ).query |
48+
| child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
49+
| child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd |
50+
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
51+
| child_process-test.js:25:13:25:23 | "foo" + cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
52+
| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:23 | "foo" + cmd |
53+
| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:5:39:5 | sh |
54+
| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh |
55+
| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:5:39:5 | sh |
56+
| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh |
57+
| child_process-test.js:39:5:39:5 | sh | child_process-test.js:39:14:39:15 | sh |
58+
| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
59+
| child_process-test.js:41:9:41:17 | args | child_process-test.js:46:15:46:18 | args |
60+
| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args |
61+
| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:49:14:49:16 | cmd |
62+
| child_process-test.js:46:15:46:18 | args | child_process-test.js:49:19:49:22 | args |
63+
| child_process-test.js:49:14:49:16 | cmd | child_process-test.js:50:12:50:14 | cmd |
64+
| child_process-test.js:49:19:49:22 | args | child_process-test.js:50:17:50:20 | args |
65+
#select
66+
| child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
67+
| child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
68+
| child_process-test.js:19:17:19:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:19:17:19:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
69+
| child_process-test.js:20:21:20:23 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:20:21:20:23 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
70+
| child_process-test.js:21:14:21:16 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:21:14:21:16 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
71+
| child_process-test.js:22:18:22:20 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:22:18:22:20 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
72+
| child_process-test.js:23:13:23:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:23:13:23:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
73+
| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
74+
| child_process-test.js:39:5:39:31 | cp.spaw ... cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:26:39:28 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
75+
| child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
76+
| child_process-test.js:50:3:50:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

Lines changed: 91 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,91 @@
1-
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
2-
| etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
3-
| formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
4-
| formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
5-
| partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
6-
| partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:51:22:57 | req.url | user-provided value |
7-
| partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value |
8-
| partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
9-
| promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
10-
| tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
11-
| tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
1+
nodes
2+
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
3+
| ReflectedXss.js:8:33:8:45 | req.params.id |
4+
| etherpad.js:9:5:9:53 | response |
5+
| etherpad.js:9:16:9:30 | req.query.jsonp |
6+
| etherpad.js:9:16:9:36 | req.que ... p + "(" |
7+
| etherpad.js:9:16:9:47 | req.que ... esponse |
8+
| etherpad.js:9:16:9:53 | req.que ... e + ")" |
9+
| etherpad.js:11:3:11:3 | response |
10+
| etherpad.js:11:12:11:19 | response |
11+
| formatting.js:4:9:4:29 | evil |
12+
| formatting.js:4:16:4:29 | req.query.evil |
13+
| formatting.js:6:14:6:47 | util.fo ... , evil) |
14+
| formatting.js:6:43:6:46 | evil |
15+
| formatting.js:7:14:7:53 | require ... , evil) |
16+
| formatting.js:7:49:7:52 | evil |
17+
| partial.js:9:25:9:25 | x |
18+
| partial.js:10:14:10:14 | x |
19+
| partial.js:10:14:10:18 | x + y |
20+
| partial.js:13:42:13:48 | req.url |
21+
| partial.js:18:25:18:25 | x |
22+
| partial.js:19:14:19:14 | x |
23+
| partial.js:19:14:19:18 | x + y |
24+
| partial.js:22:51:22:57 | req.url |
25+
| partial.js:27:25:27:25 | x |
26+
| partial.js:28:14:28:14 | x |
27+
| partial.js:28:14:28:18 | x + y |
28+
| partial.js:31:47:31:53 | req.url |
29+
| partial.js:36:25:36:25 | x |
30+
| partial.js:37:14:37:14 | x |
31+
| partial.js:37:14:37:18 | x + y |
32+
| partial.js:40:43:40:49 | req.url |
33+
| promises.js:5:3:5:59 | new Pro ... .data)) |
34+
| promises.js:5:44:5:57 | req.query.data |
35+
| promises.js:6:11:6:11 | x |
36+
| promises.js:6:11:6:11 | x |
37+
| promises.js:6:25:6:25 | x |
38+
| promises.js:6:25:6:25 | x |
39+
| tst2.js:6:7:6:30 | p |
40+
| tst2.js:6:7:6:30 | r |
41+
| tst2.js:6:9:6:9 | p |
42+
| tst2.js:6:12:6:15 | q: r |
43+
| tst2.js:7:12:7:12 | p |
44+
| tst2.js:8:12:8:12 | r |
45+
edges
46+
| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
47+
| etherpad.js:9:5:9:53 | response | etherpad.js:11:3:11:3 | response |
48+
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:36 | req.que ... p + "(" |
49+
| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:47 | req.que ... esponse |
50+
| etherpad.js:9:16:9:47 | req.que ... esponse | etherpad.js:9:16:9:53 | req.que ... e + ")" |
51+
| etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response |
52+
| etherpad.js:11:3:11:3 | response | etherpad.js:11:12:11:19 | response |
53+
| formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil |
54+
| formatting.js:4:9:4:29 | evil | formatting.js:7:49:7:52 | evil |
55+
| formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil |
56+
| formatting.js:6:43:6:46 | evil | formatting.js:6:14:6:47 | util.fo ... , evil) |
57+
| formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) |
58+
| partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x |
59+
| partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
60+
| partial.js:13:42:13:48 | req.url | partial.js:9:25:9:25 | x |
61+
| partial.js:18:25:18:25 | x | partial.js:19:14:19:14 | x |
62+
| partial.js:19:14:19:14 | x | partial.js:19:14:19:18 | x + y |
63+
| partial.js:22:51:22:57 | req.url | partial.js:18:25:18:25 | x |
64+
| partial.js:27:25:27:25 | x | partial.js:28:14:28:14 | x |
65+
| partial.js:28:14:28:14 | x | partial.js:28:14:28:18 | x + y |
66+
| partial.js:31:47:31:53 | req.url | partial.js:27:25:27:25 | x |
67+
| partial.js:36:25:36:25 | x | partial.js:37:14:37:14 | x |
68+
| partial.js:37:14:37:14 | x | partial.js:37:14:37:18 | x + y |
69+
| partial.js:40:43:40:49 | req.url | partial.js:36:25:36:25 | x |
70+
| promises.js:5:3:5:59 | new Pro ... .data)) | promises.js:6:11:6:11 | x |
71+
| promises.js:5:44:5:57 | req.query.data | promises.js:5:3:5:59 | new Pro ... .data)) |
72+
| promises.js:5:44:5:57 | req.query.data | promises.js:6:11:6:11 | x |
73+
| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
74+
| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
75+
| tst2.js:6:7:6:30 | p | tst2.js:7:12:7:12 | p |
76+
| tst2.js:6:7:6:30 | r | tst2.js:8:12:8:12 | r |
77+
| tst2.js:6:9:6:9 | p | tst2.js:6:7:6:30 | p |
78+
| tst2.js:6:12:6:15 | q: r | tst2.js:6:7:6:30 | r |
79+
#select
80+
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
81+
| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
82+
| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
83+
| formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
84+
| partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
85+
| partial.js:19:14:19:18 | x + y | partial.js:22:51:22:57 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:51:22:57 | req.url | user-provided value |
86+
| partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value |
87+
| partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
88+
| promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
89+
| promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
90+
| tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
91+
| tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |

0 commit comments

Comments
 (0)