Merge pull request #7489 from edoardopirovano/fix-example

Fix example in JavaScript query

Author: edoardopirovano

javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering.js

@@ -5,7 +5,8 @@ app.get("/user-files", function(req, res) {
   var file = req.param("file");
   if (file.indexOf("..") !== -1) {
     // BAD
-    // forbid paths outside the /public directory
+    // we forbid relative paths that contain ..
+    // as these could leave the public directory
     res.status(400).send("Bad request");
   } else {
     var absolute = path.resolve("/public/" + file);

javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering_fixed.js

@@ -3,9 +3,10 @@ var app = require("express")(),
 
 app.get("/user-files", function(req, res) {
   var file = req.param("file");
-  if (typeof path !== 'string' || file.indexOf("..") !== -1) {
-    // BAD
-    // forbid paths outside the /public directory
+  if (typeof file !== 'string' || file.indexOf("..") !== -1) {
+    // GOOD
+    // we forbid relative paths that contain ..
+    // as these could leave the public directory
     res.status(400).send("Bad request");
   } else {
     var absolute = path.resolve("/public/" + file);