JS: Port CodeInjection

asgerf · asgerf · commit fcfab5238e4b · 2023-10-13T13:15:03.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
@@ -13,7 +13,28 @@ import CodeInjectionCustomizations::CodeInjection
 /**
  * A taint-tracking configuration for reasoning about code injection vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+module CodeInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // HTML sanitizers are insufficient protection against code injection
+    node1 = node2.(HtmlSanitizerCall).getInput()
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about code injection vulnerabilities.
+ */
+module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
+
+/**
+ * DEPRRECATED. Use the `CodeInjectionFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CodeInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -25,8 +46,7 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
-    // HTML sanitizers are insufficient protection against code injection
-    src = trg.(HtmlSanitizerCall).getInput()
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    CodeInjectionConfig::isAdditionalFlowStep(node1, node2)
   }
 }
diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
@@ -16,9 +16,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.CodeInjectionQuery
-import DataFlow::PathGraph
+import CodeInjectionFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+where CodeInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
   source.getNode(), "user-provided value"
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected
@@ -1,140 +1,83 @@
-nodes
-| app.js:15:30:15:58 | req.que ... tedCode |
-| app.js:15:30:15:58 | req.que ... tedCode |
-| app.js:17:25:17:48 | req.que ... shSink1 |
-| app.js:17:25:17:48 | req.que ... shSink1 |
-| app.js:19:35:19:68 | req.que ... rString |
-| app.js:19:35:19:68 | req.que ... rString |
-| app.js:34:30:34:58 | req.que ... tedCode |
-| app.js:34:30:34:58 | req.que ... tedCode |
-| app.js:36:25:36:48 | req.que ... shSink1 |
-| app.js:36:25:36:48 | req.que ... shSink1 |
-| app.js:38:35:38:68 | req.que ... rString |
-| app.js:38:35:38:68 | req.que ... rString |
-| app.js:53:30:53:58 | req.que ... tedCode |
-| app.js:53:30:53:58 | req.que ... tedCode |
-| app.js:54:33:54:64 | req.que ... CodeRaw |
-| app.js:54:33:54:64 | req.que ... CodeRaw |
-| app.js:56:25:56:48 | req.que ... shSink1 |
-| app.js:56:25:56:48 | req.que ... shSink1 |
-| app.js:58:35:58:68 | req.que ... rString |
-| app.js:58:35:58:68 | req.que ... rString |
-| app.js:59:38:59:74 | req.que ... ringRaw |
-| app.js:59:38:59:74 | req.que ... ringRaw |
-| app.js:65:22:65:42 | req.que ... pedHtml |
-| app.js:65:22:65:42 | req.que ... pedHtml |
-| app.js:66:18:66:34 | req.query.rawHtml |
-| app.js:66:18:66:34 | req.query.rawHtml |
-| views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
-| views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
-| views/angularjs_include.ejs:2:9:2:19 | escapedHtml |
-| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
-| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
-| views/angularjs_include.ejs:3:9:3:15 | rawHtml |
-| views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
-| views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
-| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml |
-| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
-| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
-| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
-| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
-| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
-| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
-| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
-| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
-| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
-| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
-| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
-| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
-| views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
-| views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
-| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode |
-| views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
-| views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
-| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 |
-| views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
-| views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
-| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString |
-| views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
-| views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
-| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode |
-| views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
-| views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
-| views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw |
-| views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe |
-| views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:17:22:17:35 | backslashSink1 |
-| views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
-| views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
-| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString |
-| views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
-| views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
-| views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
-| views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe |
 edges
 | app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
-| app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
 | app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
-| app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
-| app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
 | app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
 | app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode |
-| app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode |
-| app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 |
 | app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 |
 | app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString |
-| app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString |
-| app.js:53:30:53:58 | req.que ... tedCode | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode |
 | app.js:53:30:53:58 | req.que ... tedCode | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode |
 | app.js:54:33:54:64 | req.que ... CodeRaw | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw |
-| app.js:54:33:54:64 | req.que ... CodeRaw | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw |
-| app.js:56:25:56:48 | req.que ... shSink1 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 |
 | app.js:56:25:56:48 | req.que ... shSink1 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 |
 | app.js:58:35:58:68 | req.que ... rString | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString |
-| app.js:58:35:58:68 | req.que ... rString | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString |
-| app.js:59:38:59:74 | req.que ... ringRaw | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
 | app.js:59:38:59:74 | req.que ... ringRaw | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
 | app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:9:2:19 | escapedHtml |
-| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:9:2:19 | escapedHtml |
-| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml |
 | app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml |
 | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:9:3:15 | rawHtml |
-| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:9:3:15 | rawHtml |
-| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
 | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
 | views/angularjs_include.ejs:2:9:2:19 | escapedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
-| views/angularjs_include.ejs:2:9:2:19 | escapedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
-| views/angularjs_include.ejs:3:9:3:15 | rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
 | views/angularjs_include.ejs:3:9:3:15 | rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
 | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
-| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
-| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
-| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
-| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
 | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
-| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
-| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
 | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
-| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
-| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
 | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
 | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
-| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
 | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw | views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe |
 | views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe | views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
-| views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe | views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 | views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:17:22:17:35 | backslashSink1 | views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
-| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
 | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
 | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw | views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe |
 | views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe | views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
-| views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe | views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
+nodes
+| app.js:15:30:15:58 | req.que ... tedCode | semmle.label | req.que ... tedCode |
+| app.js:17:25:17:48 | req.que ... shSink1 | semmle.label | req.que ... shSink1 |
+| app.js:19:35:19:68 | req.que ... rString | semmle.label | req.que ... rString |
+| app.js:34:30:34:58 | req.que ... tedCode | semmle.label | req.que ... tedCode |
+| app.js:36:25:36:48 | req.que ... shSink1 | semmle.label | req.que ... shSink1 |
+| app.js:38:35:38:68 | req.que ... rString | semmle.label | req.que ... rString |
+| app.js:53:30:53:58 | req.que ... tedCode | semmle.label | req.que ... tedCode |
+| app.js:54:33:54:64 | req.que ... CodeRaw | semmle.label | req.que ... CodeRaw |
+| app.js:56:25:56:48 | req.que ... shSink1 | semmle.label | req.que ... shSink1 |
+| app.js:58:35:58:68 | req.que ... rString | semmle.label | req.que ... rString |
+| app.js:59:38:59:74 | req.que ... ringRaw | semmle.label | req.que ... ringRaw |
+| app.js:65:22:65:42 | req.que ... pedHtml | semmle.label | req.que ... pedHtml |
+| app.js:66:18:66:34 | req.query.rawHtml | semmle.label | req.query.rawHtml |
+| views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> | semmle.label | <%= escapedHtml %> |
+| views/angularjs_include.ejs:2:9:2:19 | escapedHtml | semmle.label | escapedHtml |
+| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | semmle.label | <%- rawHtml %> |
+| views/angularjs_include.ejs:3:9:3:15 | rawHtml | semmle.label | rawHtml |
+| views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> | semmle.label | <%= escapedHtml %> |
+| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | semmle.label | escapedHtml |
+| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | semmle.label | <%- rawHtml %> |
+| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | semmle.label | rawHtml |
+| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> | semmle.label | <%= dataInGeneratedCode %> |
+| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | semmle.label | dataInGeneratedCode |
+| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> | semmle.label | <%= backslashSink1 %> |
+| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | semmle.label | backslashSink1 |
+| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> | semmle.label | <%= dataInEventHandlerString %> |
+| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | semmle.label | dataInE ... rString |
+| views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} | semmle.label | {{ dataInGeneratedCode }} |
+| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | semmle.label | dataInGeneratedCode |
+| views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} | semmle.label | {{ backslashSink1 }} |
+| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | semmle.label | backslashSink1 |
+| views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} | semmle.label | {{ dataInEventHandlerString }} |
+| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | semmle.label | dataInE ... rString |
+| views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} | semmle.label | {{ dataInGeneratedCode }} |
+| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | semmle.label | dataInGeneratedCode |
+| views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} | semmle.label | {{ dataInGeneratedCodeRaw \| safe }} |
+| views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw | semmle.label | dataInG ... CodeRaw |
+| views/njk_sinks.njk:14:45:14:73 | dataInG ...  \| safe | semmle.label | dataInG ...  \| safe |
+| views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} | semmle.label | {{ backslashSink1 }} |
+| views/njk_sinks.njk:17:22:17:35 | backslashSink1 | semmle.label | backslashSink1 |
+| views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} | semmle.label | {{ dataInEventHandlerString }} |
+| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | semmle.label | dataInE ... rString |
+| views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} | semmle.label | {{ dataInEventHandlerStringRaw \| safe }} |
+| views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw | semmle.label | dataInE ... ringRaw |
+| views/njk_sinks.njk:23:42:23:75 | dataInE ...  \| safe | semmle.label | dataInE ...  \| safe |
+subpaths
 #select
 | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> | app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> | This AngularJS template, which may contain code, depends on a $@. | app.js:65:22:65:42 | req.que ... pedHtml | user-provided value |
 | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | This AngularJS template, which may contain code, depends on a $@. | app.js:66:18:66:34 | req.query.rawHtml | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
