JS: Triage discrepancies and update test

asgerf · asgerf · commit bc34a045d3ce · 2025-01-10T14:18:31.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected
@@ -1,4 +1,3 @@
-problems
 | tst-IncompleteUrlSubstringSanitization.js:4:5:4:34 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:4:15:4:26 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:5:5:5:34 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:5:15:5:26 | "secure.net" | secure.net |
 | tst-IncompleteUrlSubstringSanitization.js:6:5:6:35 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:6:15:6:27 | ".secure.com" | .secure.com |
@@ -24,7 +23,3 @@ problems
 | tst-IncompleteUrlSubstringSanitization.js:73:5:73:48 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:73:15:73:42 | "https: ... oo/bar" | https://secure.com/foo/bar |
 | tst-IncompleteUrlSubstringSanitization.js:74:5:74:40 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:74:15:74:34 | "https://secure.com" | https://secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:75:5:75:52 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:75:15:75:46 | "https: ... ar-baz" | https://secure.com/foo/bar-baz |
-testFailures
-| tst-IncompleteUrlSubstringSanitization.js:62:2:62:31 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
-| tst-IncompleteUrlSubstringSanitization.js:63:4:63:33 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
-| tst-IncompleteUrlSubstringSanitization.js:64:3:64:26 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js
@@ -59,9 +59,9 @@
     x.startsWith("https://example.internal:80");
 
 	x.indexOf("secure.com") !== -1; // $ Alert
-	x.indexOf("secure.com") === -1;
-	!(x.indexOf("secure.com") !== -1);
-	!x.includes("secure.com");
+	x.indexOf("secure.com") === -1; // $ Alert
+	!(x.indexOf("secure.com") !== -1); // $ Alert
+	!x.includes("secure.com"); // $ Alert
 
 	if(!x.includes("secure.com")) { // $ Alert
 
