Added test case for escape.

Napalys · Napalys · commit c4b717b86c2b · 2025-03-14T11:40:23.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -208,3 +208,10 @@ var server = http.createServer(function(req, res) {
   }
 });
   
+var srv = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path; // $ MISSING: Source
+  const improperEscape = escape(path);
+  res.write(fs.readFileSync(improperEscape)); // $ MISSING: Alert
+  const improperEscape2 = unescape(path);
+  res.write(fs.readFileSync(improperEscape2)); // $ MISSING: Alert
+});
