JS: Add test for upward traversal

Author: asgerf

javascript/ql/test/library-tests/frameworks/Templating/Xss.expected

@@ -43,6 +43,8 @@ nodes
 | projectA/src/index.js:32:16:32:30 | req.query.sinkA |
 | projectA/src/index.js:37:16:37:30 | req.query.sinkA |
 | projectA/src/index.js:37:16:37:30 | req.query.sinkA |
+| projectA/src/index.js:42:16:42:30 | req.query.sinkA |
+| projectA/src/index.js:42:16:42:30 | req.query.sinkA |
 | projectA/views/main.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/main.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/main.ejs:2:5:2:9 | sinkA |
@@ -52,6 +54,9 @@ nodes
 | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/other.ejs:2:5:2:9 | sinkA |
+| projectA/views/upward_traversal.ejs:1:1:1:12 | <%- sinkA %> |
+| projectA/views/upward_traversal.ejs:1:1:1:12 | <%- sinkA %> |
+| projectA/views/upward_traversal.ejs:1:5:1:9 | sinkA |
 | projectB/src/index.js:8:16:8:30 | req.query.sinkB |
 | projectB/src/index.js:8:16:8:30 | req.query.sinkB |
 | projectB/src/index.js:13:16:13:30 | req.query.sinkB |
@@ -188,12 +193,16 @@ edges
 | projectA/src/index.js:32:16:32:30 | req.query.sinkA | projectA/views/subfolder/other.ejs:2:5:2:9 | sinkA |
 | projectA/src/index.js:37:16:37:30 | req.query.sinkA | projectA/views/subfolder/other.ejs:2:5:2:9 | sinkA |
 | projectA/src/index.js:37:16:37:30 | req.query.sinkA | projectA/views/subfolder/other.ejs:2:5:2:9 | sinkA |
+| projectA/src/index.js:42:16:42:30 | req.query.sinkA | projectA/views/upward_traversal.ejs:1:5:1:9 | sinkA |
+| projectA/src/index.js:42:16:42:30 | req.query.sinkA | projectA/views/upward_traversal.ejs:1:5:1:9 | sinkA |
 | projectA/views/main.ejs:2:5:2:9 | sinkA | projectA/views/main.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/main.ejs:2:5:2:9 | sinkA | projectA/views/main.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/index.ejs:2:5:2:9 | sinkA | projectA/views/subfolder/index.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/index.ejs:2:5:2:9 | sinkA | projectA/views/subfolder/index.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/other.ejs:2:5:2:9 | sinkA | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/other.ejs:2:5:2:9 | sinkA | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> |
+| projectA/views/upward_traversal.ejs:1:5:1:9 | sinkA | projectA/views/upward_traversal.ejs:1:1:1:12 | <%- sinkA %> |
+| projectA/views/upward_traversal.ejs:1:5:1:9 | sinkA | projectA/views/upward_traversal.ejs:1:1:1:12 | <%- sinkA %> |
 | projectB/src/index.js:8:16:8:30 | req.query.sinkB | projectB/views/main.ejs:3:5:3:9 | sinkB |
 | projectB/src/index.js:8:16:8:30 | req.query.sinkB | projectB/views/main.ejs:3:5:3:9 | sinkB |
 | projectB/src/index.js:13:16:13:30 | req.query.sinkB | projectB/views/main.ejs:3:5:3:9 | sinkB |
@@ -247,6 +256,7 @@ edges
 | projectA/views/subfolder/index.ejs:2:1:2:12 | <%- sinkA %> | projectA/src/index.js:17:16:17:30 | req.query.sinkA | projectA/views/subfolder/index.ejs:2:1:2:12 | <%- sinkA %> | Cross-site scripting vulnerability due to $@. | projectA/src/index.js:17:16:17:30 | req.query.sinkA | user-provided value |
 | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> | projectA/src/index.js:32:16:32:30 | req.query.sinkA | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> | Cross-site scripting vulnerability due to $@. | projectA/src/index.js:32:16:32:30 | req.query.sinkA | user-provided value |
 | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> | projectA/src/index.js:37:16:37:30 | req.query.sinkA | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> | Cross-site scripting vulnerability due to $@. | projectA/src/index.js:37:16:37:30 | req.query.sinkA | user-provided value |
+| projectA/views/upward_traversal.ejs:1:1:1:12 | <%- sinkA %> | projectA/src/index.js:42:16:42:30 | req.query.sinkA | projectA/views/upward_traversal.ejs:1:1:1:12 | <%- sinkA %> | Cross-site scripting vulnerability due to $@. | projectA/src/index.js:42:16:42:30 | req.query.sinkA | user-provided value |
 | projectB/views/main.ejs:3:1:3:12 | <%- sinkB %> | projectB/src/index.js:8:16:8:30 | req.query.sinkB | projectB/views/main.ejs:3:1:3:12 | <%- sinkB %> | Cross-site scripting vulnerability due to $@. | projectB/src/index.js:8:16:8:30 | req.query.sinkB | user-provided value |
 | projectB/views/main.ejs:3:1:3:12 | <%- sinkB %> | projectB/src/index.js:13:16:13:30 | req.query.sinkB | projectB/views/main.ejs:3:1:3:12 | <%- sinkB %> | Cross-site scripting vulnerability due to $@. | projectB/src/index.js:13:16:13:30 | req.query.sinkB | user-provided value |
 | projectB/views/subfolder/index.ejs:3:1:3:12 | <%- sinkB %> | projectB/src/index.js:18:16:18:30 | req.query.sinkB | projectB/views/subfolder/index.ejs:3:1:3:12 | <%- sinkB %> | Cross-site scripting vulnerability due to $@. | projectB/src/index.js:18:16:18:30 | req.query.sinkB | user-provided value |

javascript/ql/test/library-tests/frameworks/Templating/projectA/src/index.js

@@ -37,4 +37,9 @@ app.get('/fooA', (req, res) => {
         sinkA: req.query.sinkA,
         sinkB: req.query.sinkB,
     });
+
+    res.render('subfolder/subsub', {
+        sinkA: req.query.sinkA,
+        sinkB: req.query.sinkB,
+    });
 });

javascript/ql/test/library-tests/frameworks/Templating/projectA/views/subfolder/subsub/index.ejs

@@ -0,0 +1 @@
+<% include ../../upward_traversal %>

javascript/ql/test/library-tests/frameworks/Templating/projectA/views/upward_traversal.ejs

@@ -0,0 +1,2 @@
+<%- sinkA %>
+<%= sinkB %>

javascript/ql/test/library-tests/frameworks/Templating/test.expected

@@ -5,6 +5,8 @@ getLikelyTemplateSyntax
 | projectA/views/main.ejs:0:0:0:0 | projectA/views/main.ejs | ejs |
 | projectA/views/subfolder/index.ejs:0:0:0:0 | projectA/views/subfolder/index.ejs | ejs |
 | projectA/views/subfolder/other.ejs:0:0:0:0 | projectA/views/subfolder/other.ejs | ejs |
+| projectA/views/subfolder/subsub/index.ejs:0:0:0:0 | projectA/views/subfolder/subsub/index.ejs | ejs |
+| projectA/views/upward_traversal.ejs:0:0:0:0 | projectA/views/upward_traversal.ejs | ejs |
 | projectB/views/main.ejs:0:0:0:0 | projectB/views/main.ejs | ejs |
 | projectB/views/subfolder/index.ejs:0:0:0:0 | projectB/views/subfolder/index.ejs | ejs |
 | projectB/views/subfolder/other.ejs:0:0:0:0 | projectB/views/subfolder/other.ejs | ejs |
@@ -29,6 +31,7 @@ getTargetFile
 | projectA/src/index.js:16:5:19:6 | res.ren ... \\n    }) | projectA/views/subfolder/index.ejs:0:0:0:0 | projectA/views/subfolder/index.ejs |
 | projectA/src/index.js:31:5:34:6 | res.ren ... \\n    }) | projectA/views/subfolder/other.ejs:0:0:0:0 | projectA/views/subfolder/other.ejs |
 | projectA/src/index.js:36:5:39:6 | res.ren ... \\n    }) | projectA/views/subfolder/other.ejs:0:0:0:0 | projectA/views/subfolder/other.ejs |
+| projectA/src/index.js:41:5:44:6 | res.ren ... \\n    }) | projectA/views/subfolder/subsub/index.ejs:0:0:0:0 | projectA/views/subfolder/subsub/index.ejs |
 | projectB/src/index.js:6:5:9:6 | res.ren ... \\n    }) | projectB/views/main.ejs:0:0:0:0 | projectB/views/main.ejs |
 | projectB/src/index.js:11:5:14:6 | res.ren ... \\n    }) | projectB/views/main.ejs:0:0:0:0 | projectB/views/main.ejs |
 | projectB/src/index.js:16:5:19:6 | res.ren ... \\n    }) | projectB/views/subfolder/index.ejs:0:0:0:0 | projectB/views/subfolder/index.ejs |
@@ -39,6 +42,7 @@ xssSink
 | projectA/views/main.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/index.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/other.ejs:2:1:2:12 | <%- sinkA %> |
+| projectA/views/upward_traversal.ejs:1:1:1:12 | <%- sinkA %> |
 | projectB/views/main.ejs:3:1:3:12 | <%- sinkB %> |
 | projectB/views/subfolder/index.ejs:3:1:3:12 | <%- sinkB %> |
 | projectB/views/subfolder/other.ejs:3:1:3:12 | <%- sinkB %> |