add a few failing tests

erik-krogh · erik-krogh · commit 905d9045435f · 2025-01-21T09:40:24.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.expected
@@ -9,3 +9,5 @@
 | tst.js:67:32:67:71 | x.index ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:76:25:76:57 | index = ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:80:10:80:57 | x.index ... th + 1) | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
+| tst.js:105:23:105:80 | ind === ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
+| tst.js:110:65:110:164 | trusted ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js
@@ -97,3 +97,15 @@ function lastIndexNeqMinusOne(x) {
 function lastIndexEqMinusOne(x) {
   return x.lastIndexOf("example.com") === -1 || x.lastIndexOf("example.com") === x.length - "example.com".length; // OK
 }
+
+function sameCheck(allowedOrigin) {
+    const trustedAuthority = "example.com";
+
+    const ind = trustedAuthority.indexOf("." + allowedOrigin);
+    return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK - but currently failing
+}
+
+function sameConcatenation(allowedOrigin) {
+    const trustedAuthority = "example.com";
+    return trustedAuthority.indexOf("." + allowedOrigin) > 0 && trustedAuthority.indexOf("." + allowedOrigin) === trustedAuthority.length - allowedOrigin.length - 1; // OK - but currently failing
+}
