fix restify tests

Alvaro Muñoz · Alvaro Muñoz · commit 14faff447718 · 2022-12-14T15:38:35.000+01:00
diff --git a/javascript/ql/test/library-tests/frameworks/Restify2/src/index.js b/javascript/ql/test/library-tests/frameworks/Restify2/src/index.js
@@ -123,9 +123,18 @@ function xss(req, res, next) { // test: handler
   res.send('hello ' + req.query.name); // test: source, stackTraceExposureSink, xssSink, xss
   next();
 }
-server["get"]('/xss', xss); // test: setup
 
-function xss2(req, res, next) { // test: handler
+function xss2(req, res, next) { // test: candidateHandler
+  next()
+}
+
+function xss3(req, res, next) { // test: handler
+  res.header("Content-Type", "text/html"); // test: headerDefinition
+  res.send('hello ' + req.header("foo")); // test: source, stackTraceExposureSink, xssSink, !xss
+  next();
+}
+
+function xss4(req, res, next) { // test: handler
   var body = req.params.name; // test: source
   res.writeHead(200, {
     'Content-Length': Buffer.byteLength(body),
@@ -135,19 +144,16 @@ function xss2(req, res, next) { // test: handler
   res.end();
   next();
 }
+
+server["get"]('/xss', xss); // test: setup
 ["get", "head"].forEach(method => {
   server[method]('/xss2', xss2);
 });
-
-function xss3(req, res, next) { // test: handler
-  res.header("Content-Type", "text/html"); // test: headerDefinition
-  res.send('hello ' + req.header("foo")); // test: source, stackTraceExposureSink, xssSink, !xss
-  next();
-}
 server["get"]('/xss3', xss3); // test: setup
+server["get"]('/xss4', xss4); // test: setup
 
 
-function sendV2(req, res, next) { // test: candidateHandler
+server.get('/testv2', function(req, res, next) { // test: handler
   res.set({
     "Content-Type": "text/html",
     "access-control-allow-origin": "*", // test: corsMiconfigurationSink
@@ -162,7 +168,8 @@ function sendV2(req, res, next) { // test: candidateHandler
   clients.createJsonClient(req.params.uri); // test: source, ssrfSink
 
   next();
-}
+})
+
 server.get('/hello2/:name', restify.plugins.conditionalHandler([ // test: setup
   { version: ['2.0.0', '2.1.0', '2.2.0'], handler: sendV2 }
 ]));
diff --git a/javascript/ql/test/library-tests/frameworks/Restify2/tests.expected b/javascript/ql/test/library-tests/frameworks/Restify2/tests.expected
@@ -1,7 +1,7 @@
 passingPositiveTests
-| PASSED | candidateHandler | src/index.js:150:35:150:59 | // test ... Handler |
-| PASSED | candidateHandler | src/index.js:173:42:173:66 | // test ... Handler |
-| PASSED | corsMiconfigurationSink | src/index.js:153:41:153:72 | // test ... ionSink |
+| PASSED | candidateHandler | src/index.js:127:33:127:57 | // test ... Handler |
+| PASSED | candidateHandler | src/index.js:180:42:180:66 | // test ... Handler |
+| PASSED | corsMiconfigurationSink | src/index.js:159:41:159:72 | // test ... ionSink |
 | PASSED | handler | src/index.js:32:39:32:54 | // test: handler |
 | PASSED | handler | src/index.js:41:39:41:54 | // test: handler |
 | PASSED | handler | src/index.js:44:35:44:50 | // test: handler |
@@ -18,17 +18,18 @@ passingPositiveTests
 | PASSED | handler | src/index.js:111:31:111:46 | // test: handler |
 | PASSED | handler | src/index.js:115:30:115:45 | // test: handler |
 | PASSED | handler | src/index.js:121:32:121:47 | // test: handler |
-| PASSED | handler | src/index.js:128:33:128:48 | // test: handler |
-| PASSED | handler | src/index.js:142:33:142:48 | // test: handler |
-| PASSED | handler | src/index.js:183:65:183:87 | // test ... handler |
-| PASSED | handler | src/index.js:187:63:187:85 | // test ... handler |
-| PASSED | handler | src/index.js:190:55:190:77 | // test ... handler |
-| PASSED | handler | src/index.js:192:39:192:61 | // test ... handler |
-| PASSED | handler | src/index.js:194:49:194:71 | // test ... handler |
-| PASSED | handler | src/index.js:198:65:198:87 | // test ... handler |
+| PASSED | handler | src/index.js:131:33:131:48 | // test: handler |
+| PASSED | handler | src/index.js:137:33:137:48 | // test: handler |
+| PASSED | handler | src/index.js:156:50:156:65 | // test: handler |
+| PASSED | handler | src/index.js:190:65:190:87 | // test ... handler |
+| PASSED | handler | src/index.js:194:63:194:85 | // test ... handler |
+| PASSED | handler | src/index.js:197:55:197:77 | // test ... handler |
+| PASSED | handler | src/index.js:199:39:199:61 | // test ... handler |
+| PASSED | handler | src/index.js:201:49:201:71 | // test ... handler |
+| PASSED | handler | src/index.js:205:65:205:87 | // test ... handler |
 | PASSED | headerDefinition | src/index.js:104:46:104:70 | // test ... inition |
 | PASSED | headerDefinition | src/index.js:122:44:122:68 | // test ... inition |
-| PASSED | headerDefinition | src/index.js:143:44:143:68 | // test ... inition |
+| PASSED | headerDefinition | src/index.js:132:44:132:68 | // test ... inition |
 | PASSED | redirectSink | src/index.js:78:32:78:60 | // test ... ectSink |
 | PASSED | redirectSink | src/index.js:87:45:87:73 | // test ... ectSink |
 | PASSED | redirectSink | src/index.js:88:40:88:68 | // test ... ectSink |
@@ -40,16 +41,17 @@ passingPositiveTests
 | PASSED | setup | src/index.js:93:44:93:66 | // test ... handler |
 | PASSED | setup | src/index.js:98:20:98:33 | // test: setup |
 | PASSED | setup | src/index.js:110:21:110:34 | // test: setup |
-| PASSED | setup | src/index.js:126:29:126:42 | // test: setup |
-| PASSED | setup | src/index.js:147:31:147:44 | // test: setup |
-| PASSED | setup | src/index.js:166:66:166:79 | // test: setup |
-| PASSED | setup | src/index.js:170:66:170:78 | //test: setup |
-| PASSED | setup | src/index.js:183:65:183:87 | // test ... handler |
-| PASSED | setup | src/index.js:187:63:187:85 | // test ... handler |
-| PASSED | setup | src/index.js:190:55:190:77 | // test ... handler |
-| PASSED | setup | src/index.js:192:39:192:61 | // test ... handler |
-| PASSED | setup | src/index.js:194:49:194:71 | // test ... handler |
-| PASSED | setup | src/index.js:198:65:198:87 | // test ... handler |
+| PASSED | setup | src/index.js:148:29:148:42 | // test: setup |
+| PASSED | setup | src/index.js:152:31:152:44 | // test: setup |
+| PASSED | setup | src/index.js:153:31:153:44 | // test: setup |
+| PASSED | setup | src/index.js:173:66:173:79 | // test: setup |
+| PASSED | setup | src/index.js:177:66:177:78 | //test: setup |
+| PASSED | setup | src/index.js:190:65:190:87 | // test ... handler |
+| PASSED | setup | src/index.js:194:63:194:85 | // test ... handler |
+| PASSED | setup | src/index.js:197:55:197:77 | // test ... handler |
+| PASSED | setup | src/index.js:199:39:199:61 | // test ... handler |
+| PASSED | setup | src/index.js:201:49:201:71 | // test ... handler |
+| PASSED | setup | src/index.js:205:65:205:87 | // test ... handler |
 | PASSED | source | src/index.js:11:76:11:130 | // test ... k, !xss |
 | PASSED | source | src/index.js:24:76:24:128 | // test ... nk, xss |
 | PASSED | source | src/index.js:72:41:72:80 | // test ... reSink  |
@@ -61,15 +63,15 @@ passingPositiveTests
 | PASSED | source | src/index.js:88:40:88:68 | // test ... ectSink |
 | PASSED | source | src/index.js:100:37:100:51 | // test: source |
 | PASSED | source | src/index.js:123:40:123:92 | // test ... nk, xss |
-| PASSED | source | src/index.js:129:31:129:45 | // test: source |
-| PASSED | source | src/index.js:144:43:144:96 | // test ... k, !xss |
-| PASSED | source | src/index.js:158:41:158:93 | // test ... nk, xss |
-| PASSED | source | src/index.js:160:26:160:50 | // test ... srfSink |
-| PASSED | source | src/index.js:162:45:162:69 | // test ... srfSink |
-| PASSED | source | src/index.js:196:28:196:58 | // test ... k, !xss |
-| PASSED | source | src/index.js:200:28:200:56 | // test ... nk, xss |
-| PASSED | ssrfSink | src/index.js:160:26:160:50 | // test ... srfSink |
-| PASSED | ssrfSink | src/index.js:162:45:162:69 | // test ... srfSink |
+| PASSED | source | src/index.js:133:43:133:96 | // test ... k, !xss |
+| PASSED | source | src/index.js:138:31:138:45 | // test: source |
+| PASSED | source | src/index.js:164:41:164:93 | // test ... nk, xss |
+| PASSED | source | src/index.js:166:26:166:50 | // test ... srfSink |
+| PASSED | source | src/index.js:168:45:168:69 | // test ... srfSink |
+| PASSED | source | src/index.js:203:28:203:58 | // test ... k, !xss |
+| PASSED | source | src/index.js:207:28:207:56 | // test ... nk, xss |
+| PASSED | ssrfSink | src/index.js:166:26:166:50 | // test ... srfSink |
+| PASSED | ssrfSink | src/index.js:168:45:168:69 | // test ... srfSink |
 | PASSED | stackTraceExposureSink | src/index.js:9:66:9:96 | // test ... ureSink |
 | PASSED | stackTraceExposureSink | src/index.js:11:76:11:130 | // test ... k, !xss |
 | PASSED | stackTraceExposureSink | src/index.js:22:66:22:105 | // test ... xssSink |
@@ -81,28 +83,28 @@ passingPositiveTests
 | PASSED | stackTraceExposureSink | src/index.js:105:29:105:73 | // test ... nk, xss |
 | PASSED | stackTraceExposureSink | src/index.js:116:29:116:59 | // test ... ureSink |
 | PASSED | stackTraceExposureSink | src/index.js:123:40:123:92 | // test ... nk, xss |
-| PASSED | stackTraceExposureSink | src/index.js:134:20:134:64 | // test ... nk, xss |
-| PASSED | stackTraceExposureSink | src/index.js:144:43:144:96 | // test ... k, !xss |
-| PASSED | stackTraceExposureSink | src/index.js:158:41:158:93 | // test ... nk, xss |
+| PASSED | stackTraceExposureSink | src/index.js:133:43:133:96 | // test ... k, !xss |
+| PASSED | stackTraceExposureSink | src/index.js:143:20:143:64 | // test ... nk, xss |
+| PASSED | stackTraceExposureSink | src/index.js:164:41:164:93 | // test ... nk, xss |
 | PASSED | xss | src/index.js:24:76:24:128 | // test ... nk, xss |
 | PASSED | xss | src/index.js:105:29:105:73 | // test ... nk, xss |
 | PASSED | xss | src/index.js:123:40:123:92 | // test ... nk, xss |
-| PASSED | xss | src/index.js:134:20:134:64 | // test ... nk, xss |
-| PASSED | xss | src/index.js:158:41:158:93 | // test ... nk, xss |
-| PASSED | xss | src/index.js:200:28:200:56 | // test ... nk, xss |
+| PASSED | xss | src/index.js:143:20:143:64 | // test ... nk, xss |
+| PASSED | xss | src/index.js:164:41:164:93 | // test ... nk, xss |
+| PASSED | xss | src/index.js:207:28:207:56 | // test ... nk, xss |
 | PASSED | xssSink | src/index.js:22:66:22:105 | // test ... xssSink |
 | PASSED | xssSink | src/index.js:24:76:24:128 | // test ... nk, xss |
 | PASSED | xssSink | src/index.js:105:29:105:73 | // test ... nk, xss |
 | PASSED | xssSink | src/index.js:123:40:123:92 | // test ... nk, xss |
-| PASSED | xssSink | src/index.js:134:20:134:64 | // test ... nk, xss |
-| PASSED | xssSink | src/index.js:144:43:144:96 | // test ... k, !xss |
-| PASSED | xssSink | src/index.js:158:41:158:93 | // test ... nk, xss |
-| PASSED | xssSink | src/index.js:200:28:200:56 | // test ... nk, xss |
+| PASSED | xssSink | src/index.js:133:43:133:96 | // test ... k, !xss |
+| PASSED | xssSink | src/index.js:143:20:143:64 | // test ... nk, xss |
+| PASSED | xssSink | src/index.js:164:41:164:93 | // test ... nk, xss |
+| PASSED | xssSink | src/index.js:207:28:207:56 | // test ... nk, xss |
 failingPositiveTests
 passingNegativeTests
 | PASSED | !xss | src/index.js:11:76:11:130 | // test ... k, !xss |
-| PASSED | !xss | src/index.js:144:43:144:96 | // test ... k, !xss |
-| PASSED | !xss | src/index.js:196:28:196:58 | // test ... k, !xss |
+| PASSED | !xss | src/index.js:133:43:133:96 | // test ... k, !xss |
+| PASSED | !xss | src/index.js:203:28:203:58 | // test ... k, !xss |
 | PASSED | !xssSink | src/index.js:11:76:11:130 | // test ... k, !xss |
-| PASSED | !xssSink | src/index.js:196:28:196:58 | // test ... k, !xss |
+| PASSED | !xssSink | src/index.js:203:28:203:58 | // test ... k, !xss |
 failingNegativeTests
diff --git a/javascript/ql/test/library-tests/frameworks/Restify2/tests.ql b/javascript/ql/test/library-tests/frameworks/Restify2/tests.ql
@@ -6,7 +6,6 @@ import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
 import semmle.javascript.security.dataflow.RequestForgeryCustomizations
 import semmle.javascript.security.dataflow.ReflectedXssCustomizations
 import semmle.javascript.security.dataflow.ReflectedXssQuery as XssConfig
-import semmle.javascript.heuristics.AdditionalRouteHandlers
 
 class InlineTest extends LineComment {
   string tests;
