fix tests

Author: am0o0

javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.expected

@@ -0,0 +1,8 @@
+nodes
+| examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body |
+| examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body |
+| examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body |
+edges
+| examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body | examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body |
+#select
+| examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body | examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body | examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body | Denial of service caused by processing $@ with $@. | examples/DeepObjectResourceExhaustion.js:9:29:9:36 | req.body | user input | examples/DeepObjectResourceExhaustion.js:4:21:4:35 | allErrors: true | allErrors: true |

javascript/ql/src/Security/CWE-400/RemotePropertyInjection.expected

@@ -1 +1,13 @@
-| examples/RemotePropertyInjection.js:8:8:8:11 | prop | A $@ is used as a property name to write to. | examples/RemotePropertyInjection.js:7:13:7:36 | req.que ... trolled | user-provided value |
+nodes
+| examples/RemotePropertyInjection.js:7:6:7:36 | prop |
+| examples/RemotePropertyInjection.js:7:13:7:36 | req.que ... trolled |
+| examples/RemotePropertyInjection.js:7:13:7:36 | req.que ... trolled |
+| examples/RemotePropertyInjection.js:8:8:8:11 | prop |
+| examples/RemotePropertyInjection.js:8:8:8:11 | prop |
+edges
+| examples/RemotePropertyInjection.js:7:6:7:36 | prop | examples/RemotePropertyInjection.js:8:8:8:11 | prop |
+| examples/RemotePropertyInjection.js:7:6:7:36 | prop | examples/RemotePropertyInjection.js:8:8:8:11 | prop |
+| examples/RemotePropertyInjection.js:7:13:7:36 | req.que ... trolled | examples/RemotePropertyInjection.js:7:6:7:36 | prop |
+| examples/RemotePropertyInjection.js:7:13:7:36 | req.que ... trolled | examples/RemotePropertyInjection.js:7:6:7:36 | prop |
+#select
+| examples/RemotePropertyInjection.js:8:8:8:11 | prop | examples/RemotePropertyInjection.js:7:13:7:36 | req.que ... trolled | examples/RemotePropertyInjection.js:8:8:8:11 | prop | A property name to write to depends on a $@. | examples/RemotePropertyInjection.js:7:13:7:36 | req.que ... trolled | user-provided value |

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql

@@ -278,23 +278,6 @@ module DecompressionBomb {
     }
   }
 
-  module Brotli {
-    /**
-     * The decompression sinks of (brotli)[https://www.npmjs.com/package/brotli]
-     */
-    class DecompressionBomb extends Range {
-      DecompressionBomb() {
-        this =
-          [
-            API::moduleImport("brotli").getMember("decompress"),
-            API::moduleImport("brotli/decompress")
-          ]
-      }
-
-      override DataFlow::Node sink() { result = this.getACall().getArgument(0) }
-    }
-  }
-
   module Unzipper {
     /**
      * The decompression sinks of (unzipper)[https://www.npmjs.com/package/unzipper]

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/RemoteFlowSources.qll

@@ -104,6 +104,10 @@ taintTracking
 | esLib.js:3:21:3:29 | "tainted" | esClient.js:8:13:8:21 | es.source |
 | esLib.js:3:21:3:29 | "tainted" | esClient.js:11:13:11:17 | esFoo |
 | esLib.js:3:21:3:29 | "tainted" | nodeJsClient.js:5:13:5:21 | es.source |
+| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin1.js:1:13:1:13 | p |
+| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin1.js:4:15:4:15 | p |
+| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin1.js:7:13:7:13 | p |
+| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin2.js:1:13:1:13 | p |
 | global.js:1:15:1:24 | "tainted1" | global.js:9:13:9:22 | g(source1) |
 | global.js:1:15:1:24 | "tainted1" | global.js:17:13:17:27 | window.location |
 | global.js:2:15:2:24 | "tainted2" | global.js:10:13:10:22 | g(source2) |

javascript/ql/test/library-tests/InterProceduralFlow/tests.expected

@@ -0,0 +1 @@
+| query-tests/Security/CWE-079/DomBasedXss/tst.js:296 | did not expect an alert, but found an alert for HtmlInjection | OK |  |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected

@@ -969,6 +969,18 @@ nodes
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
+| tst.js:293:9:293:16 | obj |
+| tst.js:293:9:293:16 | obj |
+| tst.js:293:15:293:16 | {} |
+| tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name |
+| tst.js:294:26:294:36 | window.name |
+| tst.js:294:26:294:36 | window.name |
+| tst.js:295:19:295:21 | obj |
+| tst.js:295:19:295:21 | obj |
+| tst.js:296:9:296:9 | p |
+| tst.js:296:9:296:9 | p |
+| tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location |
 | tst.js:301:9:301:16 | location |
 | tst.js:302:10:302:10 | e |
@@ -2139,6 +2151,18 @@ edges
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
+| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
+| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
+| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
+| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
@@ -2545,6 +2569,7 @@ edges
 | tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:264:11:264:21 | window.name | user-provided value |
 | tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:280:22:280:29 | location | user-provided value |
 | tst.js:288:59:288:65 | tainted | tst.js:285:19:285:29 | window.name | tst.js:288:59:288:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:19:285:29 | window.name | user-provided value |
+| tst.js:296:9:296:9 | p | tst.js:294:26:294:36 | window.name | tst.js:296:9:296:9 | p | Cross-site scripting vulnerability due to $@. | tst.js:294:26:294:36 | window.name | user-provided value |
 | tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:301:9:301:16 | location | user-provided value |
 | tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:308:10:308:17 | location | user-provided value |
 | tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:316:35:316:42 | location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -981,6 +981,18 @@ nodes
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
+| tst.js:293:9:293:16 | obj |
+| tst.js:293:9:293:16 | obj |
+| tst.js:293:15:293:16 | {} |
+| tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name |
+| tst.js:294:26:294:36 | window.name |
+| tst.js:294:26:294:36 | window.name |
+| tst.js:295:19:295:21 | obj |
+| tst.js:295:19:295:21 | obj |
+| tst.js:296:9:296:9 | p |
+| tst.js:296:9:296:9 | p |
+| tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location |
 | tst.js:301:9:301:16 | location |
 | tst.js:302:10:302:10 | e |
@@ -2201,6 +2213,18 @@ edges
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
+| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
+| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
+| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
+| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
+| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |