update comment position to match alert location for CWE-776

Author: erik-krogh

javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected

@@ -15,9 +15,9 @@ nodes
 | domparser.js:11:55:11:57 | src |
 | domparser.js:14:57:14:59 | src |
 | domparser.js:14:57:14:59 | src |
-| expat.js:7:16:7:36 | req.par ... e-xml") |
-| expat.js:7:16:7:36 | req.par ... e-xml") |
-| expat.js:7:16:7:36 | req.par ... e-xml") |
+| expat.js:6:16:6:36 | req.par ... e-xml") |
+| expat.js:6:16:6:36 | req.par ... e-xml") |
+| expat.js:6:16:6:36 | req.par ... e-xml") |
 | jquery.js:2:7:2:36 | src |
 | jquery.js:2:13:2:29 | document.location |
 | jquery.js:2:13:2:29 | document.location |
@@ -30,12 +30,12 @@ nodes
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
 edges
 | closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src |
 | closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src |
@@ -51,24 +51,24 @@ edges
 | domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search |
 | domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search |
 | domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
-| expat.js:7:16:7:36 | req.par ... e-xml") | expat.js:7:16:7:36 | req.par ... e-xml") |
+| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") |
 | jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src |
 | jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src |
 | jquery.js:2:13:2:29 | document.location | jquery.js:2:13:2:36 | documen ... .search |
 | jquery.js:2:13:2:29 | document.location | jquery.js:2:13:2:36 | documen ... .search |
 | jquery.js:2:13:2:36 | documen ... .search | jquery.js:2:7:2:36 | src |
 | libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
 #select
 | closure.js:4:24:4:26 | src | closure.js:2:13:2:29 | document.location | closure.js:4:24:4:26 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | closure.js:2:13:2:29 | document.location | user-provided value |
 | domparser.js:6:37:6:39 | src | domparser.js:2:13:2:29 | document.location | domparser.js:6:37:6:39 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
 | domparser.js:11:55:11:57 | src | domparser.js:2:13:2:29 | document.location | domparser.js:11:55:11:57 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
 | domparser.js:14:57:14:59 | src | domparser.js:2:13:2:29 | document.location | domparser.js:14:57:14:59 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value |
-| expat.js:7:16:7:36 | req.par ... e-xml") | expat.js:7:16:7:36 | req.par ... e-xml") | expat.js:7:16:7:36 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | expat.js:7:16:7:36 | req.par ... e-xml") | user-provided value |
+| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value |
 | jquery.js:5:14:5:16 | src | jquery.js:2:13:2:29 | document.location | jquery.js:5:14:5:16 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:29 | document.location | user-provided value |
 | libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.js:6:21:6:41 | req.par ... e-xml") | user-provided value |
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | user-provided value |
-| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | user-provided value |
-| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | user-provided value |
+| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
+| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |

javascript/ql/test/query-tests/Security/CWE-776/expat.js

@@ -2,7 +2,6 @@ const express = require('express');
 const expat = require('node-expat');
 
 express().get('/some/path', function(req) {
-  // NOT OK: expat expands internal entities by default
   var parser = new expat.Parser();
-  parser.write(req.param("some-xml"));
+  parser.write(req.param("some-xml")); // NOT OK: expat expands internal entities by default
 });

javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js

@@ -2,7 +2,6 @@ const express = require('express');
 const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
-  // NOT OK: the SAX parser expands external entities by default
   const parser = new libxmljs.SaxParser();
-  parser.parseString(req.param("some-xml"));
+  parser.parseString(req.param("some-xml")); // NOT OK: the SAX parser expands external entities by default
 });

javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js

@@ -2,7 +2,6 @@ const express = require('express');
 const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
-  // NOT OK: the SAX parser expands external entities by default
   const parser = new libxmljs.SaxPushParser();
-  parser.push(req.param("some-xml"));
+  parser.push(req.param("some-xml")); // NOT OK: the SAX parser expands external entities by default
 });