revert for in additional steps

Author: am0o0

javascript/ql/lib/semmle/javascript/frameworks/FormParsers.qll

@@ -177,14 +177,3 @@ module Dicer {
     }
   }
 }
-
-/**
- * An Additional taint step like `for (succ in pred)`
- */
-private class AdditionalTaintStepForIn extends TaintTracking::SharedTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(ForInStmt fis, Variable v | v = fis.getAnIterationVariable() |
-      succ.asExpr() = v.getAnAccess() and pred.asExpr() = fis.getIterationDomain()
-    )
-  }
-}

javascript/ql/test/library-tests/InterProceduralFlow/tests.expected

@@ -104,10 +104,6 @@ taintTracking
 | esLib.js:3:21:3:29 | "tainted" | esClient.js:8:13:8:21 | es.source |
 | esLib.js:3:21:3:29 | "tainted" | esClient.js:11:13:11:17 | esFoo |
 | esLib.js:3:21:3:29 | "tainted" | nodeJsClient.js:5:13:5:21 | es.source |
-| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin1.js:1:13:1:13 | p |
-| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin1.js:4:15:4:15 | p |
-| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin1.js:7:13:7:13 | p |
-| global-forin1.js:2:14:2:26 | [ "tainted" ] | global-forin2.js:1:13:1:13 | p |
 | global.js:1:15:1:24 | "tainted1" | global.js:9:13:9:22 | g(source1) |
 | global.js:1:15:1:24 | "tainted1" | global.js:17:13:17:27 | window.location |
 | global.js:2:15:2:24 | "tainted2" | global.js:10:13:10:22 | g(source2) |

javascript/ql/test/library-tests/frameworks/FormParsers/RemoteFlowSource.expected

@@ -47,9 +47,9 @@ nodes
 | dicer.js:13:19:13:24 | sink() |
 | dicer.js:14:28:14:33 | header |
 | dicer.js:14:28:14:33 | header |
-| dicer.js:15:23:15:28 | header |
-| dicer.js:16:22:16:22 | h |
-| dicer.js:16:22:16:22 | h |
+| dicer.js:16:22:16:27 | header |
+| dicer.js:16:22:16:30 | header[h] |
+| dicer.js:16:22:16:30 | header[h] |
 | dicer.js:19:26:19:29 | data |
 | dicer.js:19:26:19:29 | data |
 | dicer.js:20:18:20:21 | data |
@@ -148,10 +148,10 @@ edges
 | dicer.js:12:23:12:26 | part | dicer.js:13:19:13:24 | sink() |
 | dicer.js:12:23:12:26 | part | dicer.js:13:19:13:24 | sink() |
 | dicer.js:12:23:12:26 | part | dicer.js:13:19:13:24 | sink() |
-| dicer.js:14:28:14:33 | header | dicer.js:15:23:15:28 | header |
-| dicer.js:14:28:14:33 | header | dicer.js:15:23:15:28 | header |
-| dicer.js:15:23:15:28 | header | dicer.js:16:22:16:22 | h |
-| dicer.js:15:23:15:28 | header | dicer.js:16:22:16:22 | h |
+| dicer.js:14:28:14:33 | header | dicer.js:16:22:16:27 | header |
+| dicer.js:14:28:14:33 | header | dicer.js:16:22:16:27 | header |
+| dicer.js:16:22:16:27 | header | dicer.js:16:22:16:30 | header[h] |
+| dicer.js:16:22:16:27 | header | dicer.js:16:22:16:30 | header[h] |
 | dicer.js:19:26:19:29 | data | dicer.js:20:18:20:21 | data |
 | dicer.js:19:26:19:29 | data | dicer.js:20:18:20:21 | data |
 | dicer.js:19:26:19:29 | data | dicer.js:20:18:20:21 | data |
@@ -218,7 +218,7 @@ edges
 | busybus.js:28:24:28:26 | val | busybus.js:27:31:27:33 | val | busybus.js:28:24:28:26 | val | This entity depends on a $@. | busybus.js:27:31:27:33 | val | user-provided value |
 | busybus.js:28:29:28:32 | info | busybus.js:27:36:27:39 | info | busybus.js:28:29:28:32 | info | This entity depends on a $@. | busybus.js:27:36:27:39 | info | user-provided value |
 | dicer.js:13:19:13:24 | sink() | dicer.js:12:23:12:26 | part | dicer.js:13:19:13:24 | sink() | This entity depends on a $@. | dicer.js:12:23:12:26 | part | user-provided value |
-| dicer.js:16:22:16:22 | h | dicer.js:14:28:14:33 | header | dicer.js:16:22:16:22 | h | This entity depends on a $@. | dicer.js:14:28:14:33 | header | user-provided value |
+| dicer.js:16:22:16:30 | header[h] | dicer.js:14:28:14:33 | header | dicer.js:16:22:16:30 | header[h] | This entity depends on a $@. | dicer.js:14:28:14:33 | header | user-provided value |
 | dicer.js:20:18:20:21 | data | dicer.js:19:26:19:29 | data | dicer.js:20:18:20:21 | data | This entity depends on a $@. | dicer.js:19:26:19:29 | data | user-provided value |
 | formidable.js:8:10:8:15 | fields | formidable.js:7:35:7:49 | form.parse(req) | formidable.js:8:10:8:15 | fields | This entity depends on a $@. | formidable.js:7:35:7:49 | form.parse(req) | user-provided value |
 | formidable.js:8:18:8:22 | files | formidable.js:7:35:7:49 | form.parse(req) | formidable.js:8:18:8:22 | files | This entity depends on a $@. | formidable.js:7:35:7:49 | form.parse(req) | user-provided value |

javascript/ql/test/library-tests/frameworks/FormParsers/dicer.js

@@ -13,7 +13,7 @@ http.createServer((req, res) => {
         part.pipe(sink())
         part.on('header', (header) => {
             for (h in header) {
-                sink(h)
+                sink(header[h])
             }
         });
         part.on('data', (data) => {

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected

@@ -1 +0,0 @@
-| query-tests/Security/CWE-079/DomBasedXss/tst.js:296 | did not expect an alert, but found an alert for HtmlInjection | OK |  |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -969,18 +969,6 @@ nodes
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
-| tst.js:293:9:293:16 | obj |
-| tst.js:293:9:293:16 | obj |
-| tst.js:293:15:293:16 | {} |
-| tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name |
-| tst.js:294:26:294:36 | window.name |
-| tst.js:294:26:294:36 | window.name |
-| tst.js:295:19:295:21 | obj |
-| tst.js:295:19:295:21 | obj |
-| tst.js:296:9:296:9 | p |
-| tst.js:296:9:296:9 | p |
-| tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location |
 | tst.js:301:9:301:16 | location |
 | tst.js:302:10:302:10 | e |
@@ -2151,18 +2139,6 @@ edges
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
-| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
-| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
-| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
-| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
@@ -2569,7 +2545,6 @@ edges
 | tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:264:11:264:21 | window.name | user-provided value |
 | tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:280:22:280:29 | location | user-provided value |
 | tst.js:288:59:288:65 | tainted | tst.js:285:19:285:29 | window.name | tst.js:288:59:288:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:19:285:29 | window.name | user-provided value |
-| tst.js:296:9:296:9 | p | tst.js:294:26:294:36 | window.name | tst.js:296:9:296:9 | p | Cross-site scripting vulnerability due to $@. | tst.js:294:26:294:36 | window.name | user-provided value |
 | tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:301:9:301:16 | location | user-provided value |
 | tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:308:10:308:17 | location | user-provided value |
 | tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:316:35:316:42 | location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -981,18 +981,6 @@ nodes
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
 | tst.js:288:59:288:65 | tainted |
-| tst.js:293:9:293:16 | obj |
-| tst.js:293:9:293:16 | obj |
-| tst.js:293:15:293:16 | {} |
-| tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name |
-| tst.js:294:26:294:36 | window.name |
-| tst.js:294:26:294:36 | window.name |
-| tst.js:295:19:295:21 | obj |
-| tst.js:295:19:295:21 | obj |
-| tst.js:296:9:296:9 | p |
-| tst.js:296:9:296:9 | p |
-| tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location |
 | tst.js:301:9:301:16 | location |
 | tst.js:302:10:302:10 | e |
@@ -2213,18 +2201,6 @@ edges
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
 | tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted |
-| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
-| tst.js:293:9:293:16 | obj | tst.js:295:19:295:21 | obj |
-| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
-| tst.js:293:15:293:16 | {} | tst.js:293:9:293:16 | obj |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:294:26:294:36 | window.name | tst.js:293:15:293:16 | {} |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
-| tst.js:295:19:295:21 | obj | tst.js:296:9:296:9 | p |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
 | tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |