Fix example in JavaScript query

edoardopirovano · edoardopirovano · commit a616059761c8 · 2021-12-29T12:01:09.000Z
diff --git a/javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering.js b/javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering.js
@@ -4,8 +4,8 @@ var app = require("express")(),
 app.get("/user-files", function(req, res) {
   var file = req.param("file");
   if (file.indexOf("..") !== -1) {
-    // BAD
-    // forbid paths outside the /public directory
+    // BAD: we forbid relative paths that contain ..
+    // as these could leave the public directory
     res.status(400).send("Bad request");
   } else {
     var absolute = path.resolve("/public/" + file);
diff --git a/javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering_fixed.js b/javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering_fixed.js
@@ -3,9 +3,9 @@ var app = require("express")(),
 
 app.get("/user-files", function(req, res) {
   var file = req.param("file");
-  if (typeof path !== 'string' || file.indexOf("..") !== -1) {
-    // BAD
-    // forbid paths outside the /public directory
+  if (typeof file !== 'string' || file.indexOf("..") !== -1) {
+    // BAD: we forbid relative paths that contain ..
+    // as these could leave the public directory
     res.status(400).send("Bad request");
   } else {
     var absolute = path.resolve("/public/" + file);
