tests

valeria-meli · valeria-meli · commit 0b5c8909dd38 · 2021-08-03T18:00:49.000-03:00
diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
@@ -0,0 +1,176 @@
+nodes
+| check-domain.js:16:9:16:27 | url |
+| check-domain.js:16:15:16:27 | req.query.url |
+| check-domain.js:16:15:16:27 | req.query.url |
+| check-domain.js:17:13:17:15 | url |
+| check-domain.js:17:13:17:15 | url |
+| check-domain.js:26:15:26:27 | req.query.url |
+| check-domain.js:26:15:26:27 | req.query.url |
+| check-domain.js:26:15:26:27 | req.query.url |
+| check-middleware.js:9:13:9:43 | "test.c ... tainted |
+| check-middleware.js:9:13:9:43 | "test.c ... tainted |
+| check-middleware.js:9:27:9:43 | req.query.tainted |
+| check-middleware.js:9:27:9:43 | req.query.tainted |
+| check-path.js:19:13:19:43 | 'test.c ... tainted |
+| check-path.js:19:13:19:43 | 'test.c ... tainted |
+| check-path.js:19:27:19:43 | req.query.tainted |
+| check-path.js:19:27:19:43 | req.query.tainted |
+| check-path.js:22:13:22:63 | 'test.c ... ainted) |
+| check-path.js:22:13:22:63 | 'test.c ... ainted) |
+| check-path.js:22:27:22:63 | encodeU ... ainted) |
+| check-path.js:22:46:22:62 | req.query.tainted |
+| check-path.js:22:46:22:62 | req.query.tainted |
+| check-path.js:23:13:23:45 | `/addre ... inted}` |
+| check-path.js:23:13:23:45 | `/addre ... inted}` |
+| check-path.js:23:27:23:43 | req.query.tainted |
+| check-path.js:23:27:23:43 | req.query.tainted |
+| check-path.js:24:13:24:65 | `/addre ... nted)}` |
+| check-path.js:24:13:24:65 | `/addre ... nted)}` |
+| check-path.js:24:27:24:63 | encodeU ... ainted) |
+| check-path.js:24:46:24:62 | req.query.tainted |
+| check-path.js:24:46:24:62 | req.query.tainted |
+| check-path.js:33:15:33:45 | 'test.c ... tainted |
+| check-path.js:33:15:33:45 | 'test.c ... tainted |
+| check-path.js:33:29:33:45 | req.query.tainted |
+| check-path.js:33:29:33:45 | req.query.tainted |
+| check-path.js:37:15:37:45 | 'test.c ... tainted |
+| check-path.js:37:15:37:45 | 'test.c ... tainted |
+| check-path.js:37:29:37:45 | req.query.tainted |
+| check-path.js:37:29:37:45 | req.query.tainted |
+| check-regex.js:24:15:24:42 | baseURL ... tainted |
+| check-regex.js:24:15:24:42 | baseURL ... tainted |
+| check-regex.js:24:25:24:42 | req.params.tainted |
+| check-regex.js:24:25:24:42 | req.params.tainted |
+| check-regex.js:31:15:31:45 | "test.c ... tainted |
+| check-regex.js:31:15:31:45 | "test.c ... tainted |
+| check-regex.js:31:29:31:45 | req.query.tainted |
+| check-regex.js:31:29:31:45 | req.query.tainted |
+| check-regex.js:34:15:34:42 | baseURL ... tainted |
+| check-regex.js:34:15:34:42 | baseURL ... tainted |
+| check-regex.js:34:25:34:42 | req.params.tainted |
+| check-regex.js:34:25:34:42 | req.params.tainted |
+| check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-regex.js:41:27:41:43 | req.query.tainted |
+| check-regex.js:41:27:41:43 | req.query.tainted |
+| check-validator.js:15:15:15:45 | "test.c ... tainted |
+| check-validator.js:15:15:15:45 | "test.c ... tainted |
+| check-validator.js:15:29:15:45 | req.query.tainted |
+| check-validator.js:15:29:15:45 | req.query.tainted |
+| check-validator.js:27:15:27:45 | "test.c ... tainted |
+| check-validator.js:27:15:27:45 | "test.c ... tainted |
+| check-validator.js:27:29:27:45 | req.query.tainted |
+| check-validator.js:27:29:27:45 | req.query.tainted |
+| check-validator.js:50:15:50:45 | "test.c ... tainted |
+| check-validator.js:50:15:50:45 | "test.c ... tainted |
+| check-validator.js:50:29:50:45 | req.query.tainted |
+| check-validator.js:50:29:50:45 | req.query.tainted |
+| check-validator.js:54:9:54:37 | numberURL |
+| check-validator.js:54:21:54:37 | req.query.tainted |
+| check-validator.js:54:21:54:37 | req.query.tainted |
+| check-validator.js:59:15:59:45 | "test.c ... tainted |
+| check-validator.js:59:15:59:45 | "test.c ... tainted |
+| check-validator.js:59:29:59:45 | req.query.tainted |
+| check-validator.js:59:29:59:45 | req.query.tainted |
+| check-validator.js:62:15:62:37 | "test.c ... mberURL |
+| check-validator.js:62:15:62:37 | "test.c ... mberURL |
+| check-validator.js:62:29:62:37 | numberURL |
+| check-validator.js:68:15:68:45 | "test.c ... tainted |
+| check-validator.js:68:15:68:45 | "test.c ... tainted |
+| check-validator.js:68:29:68:45 | req.query.tainted |
+| check-validator.js:68:29:68:45 | req.query.tainted |
+edges
+| check-domain.js:16:9:16:27 | url | check-domain.js:17:13:17:15 | url |
+| check-domain.js:16:9:16:27 | url | check-domain.js:17:13:17:15 | url |
+| check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:27 | url |
+| check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:27 | url |
+| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url |
+| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
+| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
+| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
+| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
+| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
+| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
+| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
+| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
+| check-path.js:22:27:22:63 | encodeU ... ainted) | check-path.js:22:13:22:63 | 'test.c ... ainted) |
+| check-path.js:22:27:22:63 | encodeU ... ainted) | check-path.js:22:13:22:63 | 'test.c ... ainted) |
+| check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:27:22:63 | encodeU ... ainted) |
+| check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:27:22:63 | encodeU ... ainted) |
+| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
+| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
+| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
+| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
+| check-path.js:24:27:24:63 | encodeU ... ainted) | check-path.js:24:13:24:65 | `/addre ... nted)}` |
+| check-path.js:24:27:24:63 | encodeU ... ainted) | check-path.js:24:13:24:65 | `/addre ... nted)}` |
+| check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:27:24:63 | encodeU ... ainted) |
+| check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:27:24:63 | encodeU ... ainted) |
+| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
+| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
+| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
+| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
+| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
+| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
+| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
+| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
+| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
+| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
+| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
+| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
+| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
+| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
+| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
+| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
+| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
+| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
+| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
+| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
+| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
+| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
+| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
+| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
+| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
+| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
+| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
+| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
+| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
+| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
+| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
+| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
+| check-validator.js:54:9:54:37 | numberURL | check-validator.js:62:29:62:37 | numberURL |
+| check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:54:9:54:37 | numberURL |
+| check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:54:9:54:37 | numberURL |
+| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
+| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
+| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
+| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
+| check-validator.js:62:29:62:37 | numberURL | check-validator.js:62:15:62:37 | "test.c ... mberURL |
+| check-validator.js:62:29:62:37 | numberURL | check-validator.js:62:15:62:37 | "test.c ... mberURL |
+| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
+| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
+| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
+| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
+#select
+| check-domain.js:17:13:17:15 | url | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:17:13:17:15 | url | The URL of this request depends on a user-provided value |
+| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value |
+| check-middleware.js:9:13:9:43 | "test.c ... tainted | check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-path.js:19:13:19:43 | 'test.c ... tainted | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-path.js:22:13:22:63 | 'test.c ... ainted) | check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:13:22:63 | 'test.c ... ainted) | The URL of this request depends on a user-provided value |
+| check-path.js:23:13:23:45 | `/addre ... inted}` | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | The URL of this request depends on a user-provided value |
+| check-path.js:24:13:24:65 | `/addre ... nted)}` | check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:13:24:65 | `/addre ... nted)}` | The URL of this request depends on a user-provided value |
+| check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-regex.js:24:15:24:42 | baseURL ... tainted | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | The URL of this request depends on a user-provided value |
+| check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value |
+| check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-validator.js:59:15:59:45 | "test.c ... tainted | check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-validator.js:62:15:62:37 | "test.c ... mberURL | check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:62:15:62:37 | "test.c ... mberURL | The URL of this request depends on a user-provided value |
+| check-validator.js:68:15:68:45 | "test.c ... tainted | check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | The URL of this request depends on a user-provided value |
diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.qlref b/javascript/ql/test/experimental/Security/CWE-918/SSRF.qlref
@@ -0,0 +1 @@
+./experimental/Security/CWE-918/SSRF.ql
diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-domain.js b/javascript/ql/test/experimental/Security/CWE-918/check-domain.js
@@ -0,0 +1,34 @@
+// native modules
+const url = require('url');
+
+// dependencies
+const axios = require('axios');
+const express = require('express');
+
+// constants
+const VALID_DOMAINS = ['example.com', 'example-2.com'];
+
+// start
+const app = express();
+
+app.get('/check-with-axios', req => {
+  // without validation
+  const url = req.query.url;
+  axios.get(url); //SSRF
+
+  // validating domain only
+  const decodedURI = decodeURIComponent(req.query.url);
+  const { hostname } = url.parse(decodedURI);
+
+  const { hostname } = url.parse(decodedURI);
+
+  if (isValidDomain(hostname, validDomains)) {
+    axios.get(req.query.url); //SSRF
+  }
+});
+
+const isValidDomain = (hostname, validDomains) => (
+  validDomains.some(domain => (
+    hostname === domain || hostname.endsWith(`.${domain}`))
+  )
+);
diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-middleware.js b/javascript/ql/test/experimental/Security/CWE-918/check-middleware.js
@@ -0,0 +1,19 @@
+// dependencies
+const axios = require('axios');
+const express = require('express');
+
+// start
+const app = express();
+
+app.get('/check-with-axios', validationMiddleware, req => {
+  axios.get("test.com/" + req.query.tainted); // OK is sanitized by the middleware - False Positive
+});
+
+
+const validationMiddleware = (req, res, next) => {
+  if (!Number.isInteger(req.query.tainted)) {
+    return res.sendStatus(400);
+  }
+
+  next();
+}
diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-path.js b/javascript/ql/test/experimental/Security/CWE-918/check-path.js
@@ -0,0 +1,54 @@
+// native modules
+const path = require('path');
+const url = require('url');
+
+// dependencies
+const axios = require('axios');
+const express = require('express');
+
+// constants
+const VALID_PATHS = ['/api/users/me', '/help', '/system/health'];
+
+// start
+const app = express();
+
+app.get('/check-with-axios', req => {
+  const hardcoded = 'hardcodeado';
+
+  axios.get('test.com/' + hardcoded); // OK
+  axios.get('test.com/' + req.query.tainted); // SSRF
+  axios.get('test.com/' + Number(req.query.tainted)); // OK
+  axios.get('test.com/' + req.user.id); // OK
+  axios.get('test.com/' + encodeURIComponent(req.query.tainted)); // SSRF
+  axios.get(`/addresses/${req.query.tainted}`); // SSRF
+  axios.get(`/addresses/${encodeURIComponent(req.query.tainted)}`); // SSRF
+  
+  if (Number.isInteger(req.query.tainted)) {
+    axios.get('test.com/' + req.query.tainted); // OK
+  }
+
+  if (isValidInput(req.query.tainted)){
+    axios.get('test.com/' + req.query.tainted); // OK
+  } else {
+    axios.get('test.com/' + req.query.tainted); // SSRF
+  }
+
+  if (doesntCheckAnything(req.query.tainted)) {
+    axios.get('test.com/' + req.query.tainted); // SSRF
+  }
+
+  if (isValidPath(req.query.tainted, VALID_PATHS)) {
+    axios.get('test.com/' + req.query.tainted) // OK
+  }
+
+  if(!isValidInput(req.query.tainted)) {
+    return;
+  }
+  axios.get("test.com/" + req.query.tainted); // OK
+});
+
+const isValidPath = (path, validPaths) => validPaths.includes(path);
+
+const isValidInput = (path) => Number.isInteger(path);
+
+const doesntCheckAnything = (path) => true;
diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-regex.js b/javascript/ql/test/experimental/Security/CWE-918/check-regex.js
@@ -0,0 +1,46 @@
+// dependencies
+const axios = require('axios');
+const express = require('express');
+
+// start
+const app = express();
+
+app.get('/check-with-axios', req => {
+  if (req.query.tainted.match(/^[0-9a-z]+$/)) { // letters and numbers
+    axios.get("test.com/" + req.query.tainted); // OK
+  }
+  if (req.query.tainted.match(/^[0-9a-z\-_]+$/)) { // letters, numbers, - and _
+    axios.get("test.com/" + req.query.tainted); // OK
+  }
+  if (req.query.tainted.match(/^.*$/)) { // anything
+    axios.get("test.com/" + req.query.tainted); // SSRF - False Negative
+  }
+
+  const baseURL = "test.com/"
+  if (isValidPath(req.params.tainted) ) {
+    axios.get(baseURL + req.params.tainted); // OK
+  }
+  if (!isValidPath(req.params.tainted) ) {
+    axios.get(baseURL + req.params.tainted); // SSRF
+  } else {
+    axios.get(baseURL + req.params.tainted); // OK
+  }
+  
+  // Blacklists are not safe
+  if (!req.query.tainted.match(/^[/\.%]+$/)) {
+    axios.get("test.com/" + req.query.tainted); // SSRF
+  }
+  if (!isInBlacklist(req.params.tainted) ) {
+    axios.get(baseURL + req.params.tainted); // SSRF
+  }
+
+  if (!isValidPath(req.params.tainted)) {
+    return;
+  }
+
+  axios.get("test.com/" + req.query.tainted); // OK - False Positive
+});
+
+const isValidPath = path =>  path.match(/^[0-9a-z]+$/);
+
+const isInBlackList = path =>  path.match(/^[/\.%]+$/);
diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-validator.js b/javascript/ql/test/experimental/Security/CWE-918/check-validator.js

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+./experimental/Security/CWE-918/SSRF.ql`