fixed mistake in examples

Naman Jain · Naman Jain · commit adc8bf37fe16 · 2022-02-03T09:29:42.000Z
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall2.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall2.js
@@ -3,13 +3,13 @@ var app = express();
 
 var actions = new Map();
 actions.put("play", function play(data) {
-  // ...
+    // ...
 });
 actions.put("pause", function pause(data) {
-  // ...
+    // ...
 });
 
 app.get('/perform/:action/:payload', function(req, res) {
-  let action = actions.get(req.params.action);
-  res.end(action.get(req.params.payload)); // NOT OK 
-});
+    let action = actions.get(req.params.action);
+    res.end(action(req.params.payload)); // NOT OK 
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js
@@ -3,15 +3,15 @@ var app = express();
 
 var actions = new Map();
 actions.put("play", function play(data) {
-  // ...
+    // ...
 });
 actions.put("pause", function pause(data) {
-  // ...
+    // ...
 });
 
 app.get('/perform/:action/:payload', function(req, res) {
-  if (actions.has(req.params.action)){
-    let action = actions.get(req.params.action);
-    res.end(action.get(req.params.payload)); // NOT OK, but not flagged [INCONSISTENCY]
-  }
-});
+    if (actions.has(req.params.action)) {
+        let action = actions.get(req.params.action);
+        res.end(action(req.params.payload)); // NOT OK, but not flagged [INCONSISTENCY]
+    }
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall4.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall4.js
@@ -0,0 +1,20 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+    // ...
+});
+actions.put("pause", function pause(data) {
+    // ...
+});
+
+app.get('/perform/:action/:payload', function(req, res) {
+    if (typeof actions.get(req.params.action) === 'function') {
+        let action = actions.get(req.params.action); // OK but flagged [INCONSISTENCY]
+        // GOOD: `action` is either the `play` or the `pause` function from above
+        res.end(action(req.params.payload));
+    } else {
+        res.end("Unsupported action.");
+    }
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js
@@ -9,12 +9,12 @@ actions.put("pause", function pause(data) {
     // ...
 });
 
-app.get('/perform/:action/:payload', function (req, res) {
-    if (typeof actions.get(req.params.action) === 'function') {
-        let action = actions.get(req.params.action);
-        // GOOD: `action` is either the `play` or the `pause` function from above
+app.get('/perform/:action/:payload', function(req, res) {
+    let action = actions.get(req.params.action);
+    // GOOD: `action` is either the `play` or the `pause` function from above
+    if (typeof action === 'function') {
         res.end(action(req.params.payload));
     } else {
         res.end("Unsupported action.");
     }
-});
+});
