JS: Add test with route handler indirection

asgerf · asgerf · commit 7492293c5bfa · 2021-12-07T10:46:18.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected
@@ -0,0 +1 @@
+| query-tests/Security/CWE-073/routes.js:2 | expected an alert, but found none | NOT OK |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-073/routes.js b/javascript/ql/test/query-tests/Security/CWE-073/routes.js
@@ -0,0 +1,3 @@
+exports.foo = function(req, res) {
+    res.render('foo', req.body); // NOT OK
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst.js b/javascript/ql/test/query-tests/Security/CWE-073/tst.js
@@ -27,4 +27,7 @@ function indirect(res, obj) {
     res.render("template", str); // OK 
 
     res.render("template", JSON.parse(str)); // NOT OK
-}
+}
+
+let routes = require('./routes');
+app.post('/foo', routes.foo);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| query-tests/Security/CWE-073/routes.js:2 \| expected an alert, but found none \| NOT OK \| \|`