Skip to content

Commit 53efb58

Browse files
asgerfasgerf
committed
JS: Update some tests with provenance columns
Only includes the changes that purely contain the new provenance columns
1 parent 88edc06 commit 53efb58

File tree

44 files changed

+1694
-1715
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

44 files changed

+1694
-1715
lines changed

javascript/ql/test/experimental/Security/CWE-918/SSRF.expected

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,25 @@
11
edges
2-
| check-domain.js:16:9:16:27 | url | check-domain.js:17:13:17:15 | url |
3-
| check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:27 | url |
4-
| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
5-
| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
6-
| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
7-
| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
8-
| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
9-
| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
10-
| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
11-
| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
12-
| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
13-
| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
14-
| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
15-
| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
16-
| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
17-
| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
18-
| check-validator.js:54:9:54:37 | numberURL | check-validator.js:62:29:62:37 | numberURL |
19-
| check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:54:9:54:37 | numberURL |
20-
| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
21-
| check-validator.js:62:29:62:37 | numberURL | check-validator.js:62:15:62:37 | "test.c ... mberURL |
22-
| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
2+
| check-domain.js:16:9:16:27 | url | check-domain.js:17:13:17:15 | url | provenance | |
3+
| check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:27 | url | provenance | |
4+
| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | provenance | |
5+
| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | provenance | |
6+
| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | provenance | |
7+
| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | provenance | |
8+
| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | provenance | |
9+
| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | provenance | |
10+
| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted | provenance | |
11+
| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | provenance | |
12+
| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | provenance | |
13+
| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | provenance | |
14+
| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | provenance | |
15+
| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | provenance | |
16+
| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | provenance | |
17+
| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | provenance | |
18+
| check-validator.js:54:9:54:37 | numberURL | check-validator.js:62:29:62:37 | numberURL | provenance | |
19+
| check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:54:9:54:37 | numberURL | provenance | |
20+
| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | provenance | |
21+
| check-validator.js:62:29:62:37 | numberURL | check-validator.js:62:15:62:37 | "test.c ... mberURL | provenance | |
22+
| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | provenance | |
2323
nodes
2424
| check-domain.js:16:9:16:27 | url | semmle.label | url |
2525
| check-domain.js:16:15:16:27 | req.query.url | semmle.label | req.query.url |

javascript/ql/test/library-tests/InterProceduralFlow/tests.expected

Lines changed: 0 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -48,12 +48,6 @@ dataFlow
4848
| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
4949
| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
5050
| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
51-
| promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
52-
| promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
53-
| promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |
54-
| promises.js:12:22:12:31 | "rejected" | promises.js:21:20:21:20 | v |
55-
| promises.js:12:22:12:31 | "rejected" | promises.js:24:20:24:20 | v |
56-
| promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
5751
| properties2.js:7:14:7:21 | "source" | properties2.js:8:12:8:24 | foo(source).p |
5852
| properties2.js:7:14:7:21 | "source" | properties2.js:17:13:17:15 | o.p |
5953
| properties2.js:7:14:7:21 | "source" | properties2.js:33:13:33:20 | getP(o3) |
@@ -67,7 +61,6 @@ dataFlow
6761
| tst2.js:6:24:6:37 | "also tainted" | tst2.js:11:15:11:24 | g(source2) |
6862
| tst6.mjs:12:14:12:21 | "source" | tst6.mjs:14:12:14:16 | a.m() |
6963
| tst6.mjs:16:15:16:23 | "source2" | tst6.mjs:18:13:18:24 | a.m.call(a2) |
70-
| tst.js:2:17:2:22 | "src1" | tst.js:28:20:28:22 | elt |
7164
| tst.js:2:17:2:22 | "src1" | tst.js:39:17:39:17 | x |
7265
| tst.js:2:17:2:22 | "src1" | tst.js:41:19:41:19 | x |
7366
| tst.js:2:17:2:22 | "src1" | tst.js:45:17:45:17 | x |
@@ -133,12 +126,6 @@ taintTracking
133126
| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
134127
| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
135128
| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
136-
| promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
137-
| promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
138-
| promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |
139-
| promises.js:12:22:12:31 | "rejected" | promises.js:21:20:21:20 | v |
140-
| promises.js:12:22:12:31 | "rejected" | promises.js:24:20:24:20 | v |
141-
| promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
142129
| properties2.js:7:14:7:21 | "source" | properties2.js:8:12:8:24 | foo(source).p |
143130
| properties2.js:7:14:7:21 | "source" | properties2.js:17:13:17:15 | o.p |
144131
| properties2.js:7:14:7:21 | "source" | properties2.js:33:13:33:20 | getP(o3) |
@@ -167,7 +154,6 @@ taintTracking
167154
| tst.js:2:17:2:22 | "src1" | tst.js:19:16:19:34 | JSON.parse(source1) |
168155
| tst.js:2:17:2:22 | "src1" | tst.js:20:16:20:37 | JSON.st ... sink10) |
169156
| tst.js:2:17:2:22 | "src1" | tst.js:24:16:24:18 | foo |
170-
| tst.js:2:17:2:22 | "src1" | tst.js:28:20:28:22 | elt |
171157
| tst.js:2:17:2:22 | "src1" | tst.js:30:20:30:22 | ary |
172158
| tst.js:2:17:2:22 | "src1" | tst.js:36:16:36:24 | dict[key] |
173159
| tst.js:2:17:2:22 | "src1" | tst.js:39:17:39:17 | x |
@@ -237,12 +223,6 @@ germanFlow
237223
| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
238224
| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
239225
| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
240-
| promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
241-
| promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
242-
| promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |
243-
| promises.js:12:22:12:31 | "rejected" | promises.js:21:20:21:20 | v |
244-
| promises.js:12:22:12:31 | "rejected" | promises.js:24:20:24:20 | v |
245-
| promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
246226
| properties2.js:7:14:7:21 | "source" | properties2.js:8:12:8:24 | foo(source).p |
247227
| properties2.js:7:14:7:21 | "source" | properties2.js:17:13:17:15 | o.p |
248228
| properties2.js:7:14:7:21 | "source" | properties2.js:33:13:33:20 | getP(o3) |
@@ -256,7 +236,6 @@ germanFlow
256236
| tst2.js:6:24:6:37 | "also tainted" | tst2.js:11:15:11:24 | g(source2) |
257237
| tst6.mjs:12:14:12:21 | "source" | tst6.mjs:14:12:14:16 | a.m() |
258238
| tst6.mjs:16:15:16:23 | "source2" | tst6.mjs:18:13:18:24 | a.m.call(a2) |
259-
| tst.js:2:17:2:22 | "src1" | tst.js:28:20:28:22 | elt |
260239
| tst.js:2:17:2:22 | "src1" | tst.js:39:17:39:17 | x |
261240
| tst.js:2:17:2:22 | "src1" | tst.js:41:19:41:19 | x |
262241
| tst.js:2:17:2:22 | "src1" | tst.js:45:17:45:17 | x |

javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected

Lines changed: 32 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,36 +1,36 @@
11
edges
2-
| app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
3-
| app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
4-
| app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
5-
| app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode |
6-
| app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 |
7-
| app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString |
8-
| app.js:53:30:53:58 | req.que ... tedCode | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode |
9-
| app.js:54:33:54:64 | req.que ... CodeRaw | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw |
10-
| app.js:56:25:56:48 | req.que ... shSink1 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 |
11-
| app.js:58:35:58:68 | req.que ... rString | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString |
12-
| app.js:59:38:59:74 | req.que ... ringRaw | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
13-
| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:9:2:19 | escapedHtml |
14-
| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml |
15-
| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:9:3:15 | rawHtml |
16-
| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
17-
| views/angularjs_include.ejs:2:9:2:19 | escapedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> |
18-
| views/angularjs_include.ejs:3:9:3:15 | rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
19-
| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> |
20-
| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
21-
| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
22-
| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
23-
| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
24-
| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} |
25-
| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} |
26-
| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} |
27-
| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} |
28-
| views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw | views/njk_sinks.njk:14:45:14:73 | dataInG ... \| safe |
29-
| views/njk_sinks.njk:14:45:14:73 | dataInG ... \| safe | views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} |
30-
| views/njk_sinks.njk:17:22:17:35 | backslashSink1 | views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} |
31-
| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} |
32-
| views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw | views/njk_sinks.njk:23:42:23:75 | dataInE ... \| safe |
33-
| views/njk_sinks.njk:23:42:23:75 | dataInE ... \| safe | views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} |
2+
| app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | provenance | |
3+
| app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | provenance | |
4+
| app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | provenance | |
5+
| app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | provenance | |
6+
| app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | provenance | |
7+
| app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | provenance | |
8+
| app.js:53:30:53:58 | req.que ... tedCode | views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | provenance | |
9+
| app.js:54:33:54:64 | req.que ... CodeRaw | views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw | provenance | |
10+
| app.js:56:25:56:48 | req.que ... shSink1 | views/njk_sinks.njk:17:22:17:35 | backslashSink1 | provenance | |
11+
| app.js:58:35:58:68 | req.que ... rString | views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | provenance | |
12+
| app.js:59:38:59:74 | req.que ... ringRaw | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw | provenance | |
13+
| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_include.ejs:2:9:2:19 | escapedHtml | provenance | |
14+
| app.js:65:22:65:42 | req.que ... pedHtml | views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | provenance | |
15+
| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:9:3:15 | rawHtml | provenance | |
16+
| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | provenance | |
17+
| views/angularjs_include.ejs:2:9:2:19 | escapedHtml | views/angularjs_include.ejs:2:5:2:22 | <%= escapedHtml %> | provenance | |
18+
| views/angularjs_include.ejs:3:9:3:15 | rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | provenance | |
19+
| views/angularjs_sinks.ejs:3:13:3:23 | escapedHtml | views/angularjs_sinks.ejs:3:9:3:26 | <%= escapedHtml %> | provenance | |
20+
| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | provenance | |
21+
| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> | provenance | |
22+
| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> | provenance | |
23+
| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> | provenance | |
24+
| views/hbs_sinks.hbs:25:42:25:60 | dataInGeneratedCode | views/hbs_sinks.hbs:25:39:25:63 | {{ dataInGeneratedCode }} | provenance | |
25+
| views/hbs_sinks.hbs:28:22:28:35 | backslashSink1 | views/hbs_sinks.hbs:28:19:28:38 | {{ backslashSink1 }} | provenance | |
26+
| views/hbs_sinks.hbs:33:42:33:65 | dataInE ... rString | views/hbs_sinks.hbs:33:39:33:68 | {{ dataInEventHandlerString }} | provenance | |
27+
| views/njk_sinks.njk:13:42:13:60 | dataInGeneratedCode | views/njk_sinks.njk:13:39:13:63 | {{ dataInGeneratedCode }} | provenance | |
28+
| views/njk_sinks.njk:14:45:14:66 | dataInG ... CodeRaw | views/njk_sinks.njk:14:45:14:73 | dataInG ... \| safe | provenance | |
29+
| views/njk_sinks.njk:14:45:14:73 | dataInG ... \| safe | views/njk_sinks.njk:14:42:14:76 | {{ dataInGeneratedCodeRaw \| safe }} | provenance | |
30+
| views/njk_sinks.njk:17:22:17:35 | backslashSink1 | views/njk_sinks.njk:17:19:17:38 | {{ backslashSink1 }} | provenance | |
31+
| views/njk_sinks.njk:22:42:22:65 | dataInE ... rString | views/njk_sinks.njk:22:39:22:68 | {{ dataInEventHandlerString }} | provenance | |
32+
| views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw | views/njk_sinks.njk:23:42:23:75 | dataInE ... \| safe | provenance | |
33+
| views/njk_sinks.njk:23:42:23:75 | dataInE ... \| safe | views/njk_sinks.njk:23:39:23:78 | {{ dataInEventHandlerStringRaw \| safe }} | provenance | |
3434
nodes
3535
| app.js:15:30:15:58 | req.que ... tedCode | semmle.label | req.que ... tedCode |
3636
| app.js:17:25:17:48 | req.que ... shSink1 | semmle.label | req.que ... shSink1 |

0 commit comments

Comments
 (0)