update consistency comments for CWE-611

erik-krogh · erik-krogh · commit 5a8762847883 · 2020-07-08T10:03:03.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected b/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected
@@ -10,12 +10,12 @@ nodes
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
 edges
 | domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src |
 | domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src |
@@ -25,11 +25,11 @@ edges
 | domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search |
 | domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
 #select
 | domparser.js:11:55:11:57 | src | domparser.js:2:13:2:29 | document.location | domparser.js:11:55:11:57 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
 | domparser.js:14:57:14:59 | src | domparser.js:2:13:2:29 | document.location | domparser.js:14:57:14:59 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | user-provided value |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | user-provided value |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | user-provided value |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.sax.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.sax.js
@@ -2,7 +2,6 @@ const express = require('express');
 const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
-  // NOT OK: the SAX parser expands external entities by default
   const parser = new libxmljs.SaxParser();
-  parser.parseString(req.param("some-xml"));
+  parser.parseString(req.param("some-xml")); // NOT OK: the SAX parser expands external entities by default
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.saxpush.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.saxpush.js
@@ -2,7 +2,6 @@ const express = require('express');
 const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
-  // NOT OK: the SAX parser expands external entities by default
   const parser = new libxmljs.SaxPushParser();
-  parser.push(req.param("some-xml"));
+  parser.push(req.param("some-xml"));  // NOT OK: the SAX parser expands external entities by default
 });
