Skip to content

Commit 8af430d

Browse files
asgerfasgerf
committed
JS: Shift line numbers in TemplateObjectInjection test
1 parent 5f8ea39 commit 8af430d

File tree

2 files changed

+54
-52
lines changed

2 files changed

+54
-52
lines changed

javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.expected

Lines changed: 52 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -29,31 +29,31 @@ nodes
2929
| tst2.js:51:25:51:46 | req.bod ... rameter |
3030
| tst2.js:52:28:52:40 | bodyParameter |
3131
| tst2.js:52:28:52:40 | bodyParameter |
32-
| tst.js:5:9:5:46 | bodyParameter |
33-
| tst.js:5:25:5:32 | req.body |
34-
| tst.js:5:25:5:32 | req.body |
35-
| tst.js:5:25:5:46 | req.bod ... rameter |
36-
| tst.js:6:9:6:49 | queryParameter |
37-
| tst.js:6:9:6:49 | queryParameter |
38-
| tst.js:6:26:6:49 | req.que ... rameter |
39-
| tst.js:6:26:6:49 | req.que ... rameter |
40-
| tst.js:6:26:6:49 | req.que ... rameter |
41-
| tst.js:8:28:8:40 | bodyParameter |
42-
| tst.js:8:28:8:40 | bodyParameter |
43-
| tst.js:9:28:9:41 | queryParameter |
44-
| tst.js:9:28:9:41 | queryParameter |
45-
| tst.js:18:19:18:32 | queryParameter |
46-
| tst.js:18:19:18:32 | queryParameter |
47-
| tst.js:21:24:21:26 | obj |
48-
| tst.js:21:24:21:26 | obj |
49-
| tst.js:22:28:22:30 | obj |
50-
| tst.js:22:28:22:30 | obj |
51-
| tst.js:24:11:24:24 | str |
52-
| tst.js:24:17:24:19 | obj |
53-
| tst.js:24:17:24:24 | obj + "" |
54-
| tst.js:27:28:27:42 | JSON.parse(str) |
55-
| tst.js:27:28:27:42 | JSON.parse(str) |
56-
| tst.js:27:39:27:41 | str |
32+
| tst.js:7:9:7:46 | bodyParameter |
33+
| tst.js:7:25:7:32 | req.body |
34+
| tst.js:7:25:7:32 | req.body |
35+
| tst.js:7:25:7:46 | req.bod ... rameter |
36+
| tst.js:8:9:8:49 | queryParameter |
37+
| tst.js:8:9:8:49 | queryParameter |
38+
| tst.js:8:26:8:49 | req.que ... rameter |
39+
| tst.js:8:26:8:49 | req.que ... rameter |
40+
| tst.js:8:26:8:49 | req.que ... rameter |
41+
| tst.js:10:28:10:40 | bodyParameter |
42+
| tst.js:10:28:10:40 | bodyParameter |
43+
| tst.js:11:28:11:41 | queryParameter |
44+
| tst.js:11:28:11:41 | queryParameter |
45+
| tst.js:20:19:20:32 | queryParameter |
46+
| tst.js:20:19:20:32 | queryParameter |
47+
| tst.js:23:24:23:26 | obj |
48+
| tst.js:23:24:23:26 | obj |
49+
| tst.js:24:28:24:30 | obj |
50+
| tst.js:24:28:24:30 | obj |
51+
| tst.js:26:11:26:24 | str |
52+
| tst.js:26:17:26:19 | obj |
53+
| tst.js:26:17:26:24 | obj + "" |
54+
| tst.js:29:28:29:42 | JSON.parse(str) |
55+
| tst.js:29:28:29:42 | JSON.parse(str) |
56+
| tst.js:29:39:29:41 | str |
5757
edges
5858
| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter |
5959
| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter |
@@ -80,36 +80,36 @@ edges
8080
| tst2.js:51:25:51:32 | req.body | tst2.js:51:25:51:46 | req.bod ... rameter |
8181
| tst2.js:51:25:51:32 | req.body | tst2.js:51:25:51:46 | req.bod ... rameter |
8282
| tst2.js:51:25:51:46 | req.bod ... rameter | tst2.js:51:9:51:46 | bodyParameter |
83-
| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
84-
| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
85-
| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
86-
| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
87-
| tst.js:5:25:5:46 | req.bod ... rameter | tst.js:5:9:5:46 | bodyParameter |
88-
| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
89-
| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
90-
| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
91-
| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
92-
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
93-
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
94-
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
95-
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
96-
| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
97-
| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
98-
| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
99-
| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
100-
| tst.js:21:24:21:26 | obj | tst.js:24:17:24:19 | obj |
101-
| tst.js:24:11:24:24 | str | tst.js:27:39:27:41 | str |
102-
| tst.js:24:17:24:19 | obj | tst.js:24:17:24:24 | obj + "" |
103-
| tst.js:24:17:24:24 | obj + "" | tst.js:24:11:24:24 | str |
104-
| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
105-
| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
83+
| tst.js:7:9:7:46 | bodyParameter | tst.js:10:28:10:40 | bodyParameter |
84+
| tst.js:7:9:7:46 | bodyParameter | tst.js:10:28:10:40 | bodyParameter |
85+
| tst.js:7:25:7:32 | req.body | tst.js:7:25:7:46 | req.bod ... rameter |
86+
| tst.js:7:25:7:32 | req.body | tst.js:7:25:7:46 | req.bod ... rameter |
87+
| tst.js:7:25:7:46 | req.bod ... rameter | tst.js:7:9:7:46 | bodyParameter |
88+
| tst.js:8:9:8:49 | queryParameter | tst.js:11:28:11:41 | queryParameter |
89+
| tst.js:8:9:8:49 | queryParameter | tst.js:11:28:11:41 | queryParameter |
90+
| tst.js:8:9:8:49 | queryParameter | tst.js:20:19:20:32 | queryParameter |
91+
| tst.js:8:9:8:49 | queryParameter | tst.js:20:19:20:32 | queryParameter |
92+
| tst.js:8:26:8:49 | req.que ... rameter | tst.js:8:9:8:49 | queryParameter |
93+
| tst.js:8:26:8:49 | req.que ... rameter | tst.js:8:9:8:49 | queryParameter |
94+
| tst.js:8:26:8:49 | req.que ... rameter | tst.js:8:9:8:49 | queryParameter |
95+
| tst.js:8:26:8:49 | req.que ... rameter | tst.js:8:9:8:49 | queryParameter |
96+
| tst.js:20:19:20:32 | queryParameter | tst.js:23:24:23:26 | obj |
97+
| tst.js:20:19:20:32 | queryParameter | tst.js:23:24:23:26 | obj |
98+
| tst.js:23:24:23:26 | obj | tst.js:24:28:24:30 | obj |
99+
| tst.js:23:24:23:26 | obj | tst.js:24:28:24:30 | obj |
100+
| tst.js:23:24:23:26 | obj | tst.js:26:17:26:19 | obj |
101+
| tst.js:26:11:26:24 | str | tst.js:29:39:29:41 | str |
102+
| tst.js:26:17:26:19 | obj | tst.js:26:17:26:24 | obj + "" |
103+
| tst.js:26:17:26:24 | obj + "" | tst.js:26:11:26:24 | str |
104+
| tst.js:29:39:29:41 | str | tst.js:29:28:29:42 | JSON.parse(str) |
105+
| tst.js:29:39:29:41 | str | tst.js:29:28:29:42 | JSON.parse(str) |
106106
#select
107107
| tst2.js:7:28:7:40 | bodyParameter | tst2.js:6:25:6:32 | req.body | tst2.js:7:28:7:40 | bodyParameter | Template object injection due to $@. | tst2.js:6:25:6:32 | req.body | user-provided value |
108108
| tst2.js:27:28:27:40 | bodyParameter | tst2.js:26:25:26:32 | req.body | tst2.js:27:28:27:40 | bodyParameter | Template object injection due to $@. | tst2.js:26:25:26:32 | req.body | user-provided value |
109109
| tst2.js:35:28:35:40 | bodyParameter | tst2.js:34:25:34:32 | req.body | tst2.js:35:28:35:40 | bodyParameter | Template object injection due to $@. | tst2.js:34:25:34:32 | req.body | user-provided value |
110110
| tst2.js:43:28:43:40 | bodyParameter | tst2.js:42:25:42:32 | req.body | tst2.js:43:28:43:40 | bodyParameter | Template object injection due to $@. | tst2.js:42:25:42:32 | req.body | user-provided value |
111111
| tst2.js:52:28:52:40 | bodyParameter | tst2.js:51:25:51:32 | req.body | tst2.js:52:28:52:40 | bodyParameter | Template object injection due to $@. | tst2.js:51:25:51:32 | req.body | user-provided value |
112-
| tst.js:8:28:8:40 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:8:28:8:40 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
113-
| tst.js:9:28:9:41 | queryParameter | tst.js:6:26:6:49 | req.que ... rameter | tst.js:9:28:9:41 | queryParameter | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
114-
| tst.js:22:28:22:30 | obj | tst.js:6:26:6:49 | req.que ... rameter | tst.js:22:28:22:30 | obj | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
115-
| tst.js:27:28:27:42 | JSON.parse(str) | tst.js:6:26:6:49 | req.que ... rameter | tst.js:27:28:27:42 | JSON.parse(str) | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
112+
| tst.js:10:28:10:40 | bodyParameter | tst.js:7:25:7:32 | req.body | tst.js:10:28:10:40 | bodyParameter | Template object injection due to $@. | tst.js:7:25:7:32 | req.body | user-provided value |
113+
| tst.js:11:28:11:41 | queryParameter | tst.js:8:26:8:49 | req.que ... rameter | tst.js:11:28:11:41 | queryParameter | Template object injection due to $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value |
114+
| tst.js:24:28:24:30 | obj | tst.js:8:26:8:49 | req.que ... rameter | tst.js:24:28:24:30 | obj | Template object injection due to $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value |
115+
| tst.js:29:28:29:42 | JSON.parse(str) | tst.js:8:26:8:49 | req.que ... rameter | tst.js:29:28:29:42 | JSON.parse(str) | Template object injection due to $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value |

javascript/ql/test/query-tests/Security/CWE-073/tst.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
var app = require('express')();
22
app.set('view engine', 'hbs');
33

4+
5+
46
app.post('/path', function(req, res) {
57
var bodyParameter = req.body.bodyParameter;
68
var queryParameter = req.query.queryParameter;

0 commit comments

Comments
 (0)